docs: add note about fuses to our security documentation (#41210)

* Add note about fuses to our security documentation Additionally, add the missing #18 to the ToC. * lint issues for security.md * Update docs/tutorial/security.md Co-authored-by: Felix Rieseberg <fr@makenotion.com> * move reference links to bottom of security.md --------- Co-authored-by: Felix Rieseberg <fr@makenotion.com>
electron · Feb 2, 2024 · 3ec04fd · 3ec04fd
1 parent 2ebaebb
commit 3ec04fd
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md
@@ -114,6 +114,8 @@ You should at least follow these steps to improve the security of your applicati
 15. [Do not use `shell.openExternal` with untrusted content](#15-do-not-use-shellopenexternal-with-untrusted-content)
 16. [Use a current version of Electron](#16-use-a-current-version-of-electron)
 17. [Validate the `sender` of all IPC messages](#17-validate-the-sender-of-all-ipc-messages)
+18. [Avoid usage of the `file://` protocol and prefer usage of custom protocols](#18-avoid-usage-of-the-file-protocol-and-prefer-usage-of-custom-protocols)
+19. [Check which fuses you can change](#19-check-which-fuses-you-can-change)
 
 To automate the detection of misconfigurations and insecure patterns, it is
 possible to use
@@ -780,6 +782,28 @@ set of files.
 Follow the [`protocol.handle`](../api/protocol.md#protocolhandlescheme-handler) examples to
 learn how to serve files / content from a custom protocol.
 
+### 19. Check which fuses you can change
+
+Electron ships with a number of options that can be useful but a large portion of
+applications probably don't need. In order to avoid having to build your own version of
+Electron, these can be turned off or on using [Fuses](./fuses.md).
+
+#### Why?
+
+Some fuses, like `runAsNode` and `nodeCliInspect`, allow the application to behave differently
+when run from the command line using specific environment variables or CLI arguments. These
+can be used to execute commands on the device through your application.
+
+This can let external scripts run commands that they potentially would not be allowed to, but
+that your application might have the rights for.
+
+#### How?
+
+We've made a module, [`@electron/fuses`](https://npmjs.com/package/@electron/fuses), to make
+flipping these fuses easy. Check out the README of that module for more details on usage and
+potential error cases, and refer to
+[How do I flip the fuses?](./fuses.md#how-do-i-flip-the-fuses) in our documentation.
+
 [breaking-changes]: ../breaking-changes.md
 [browser-window]: ../api/browser-window.md
 [webview-tag]: ../api/webview-tag.md