It's a great idea to have a template for writing secure Electron apps, but this particular template should only be used with caution. I don't think it has been reviewed or endorsed by the Electron team as actually following those best practices, and I see a few issues just skimming from my phone:<p>They're trying to expose IPC to the renderer in an unsafe way. See their discussion on this GH issue <a href="https://github.com/electron/electron/issues/21437" rel="nofollow">https://github.com/electron/electron/issues/21437</a> (referenced from the main readme as blocking some features they want to implement)<p>On their "building a secure app" page they complain about Electron's quick release cadence <a href="https://github.com/reZach/secure-electron-template/blob/master/docs/secureapps.md" rel="nofollow">https://github.com/reZach/secure-electron-template/blob/mast...</a><p>> The trouble that I've found with electron, is that their release schedule is crazy, with only a few months before each major release. We know that electron is a young framework, but it is hard to keep up so quickly!<p>Electron releases quickly to pull in critical upstream security fixed from chromium.
That reasoning is explained pretty thoroughly in the best practices documentation <a href="https://electronjs.org/docs/tutorial/security#17-use-a-current-version-of-electron" rel="nofollow">https://electronjs.org/docs/tutorial/security#17-use-a-curre...</a><p>I haven't looked at their implementations of the other security best practices, so these might be the only red flags, but I'd still recommend against just blindly copying the template without understanding and verifying the best practices they're attempting to implement.
If anyone is interested in Electron application security, I wrote a guide that explains the methodology behind some of the choices the author here has taken and even goes a bit further in a variety of areas: <a href="https://know.bishopfox.com/research/reasonably-secure-electron" rel="nofollow">https://know.bishopfox.com/research/reasonably-secure-electr...</a>
I wish that Safari would support Progressive Web Apps on Desktop like Chrome. I would much rather provide an Application Manifest and Service Worker than building a pseudo native desktop app.
This is based on the Security documentation that the Electron team maintains, which is full of good advice: <a href="https://electronjs.org/docs/tutorial/security" rel="nofollow">https://electronjs.org/docs/tutorial/security</a>
For other types of security try <a href="https://github.com/tauri-apps/tauri" rel="nofollow">https://github.com/tauri-apps/tauri</a><p>It is an electron-like framework written in Rust, and is designed to be as lightweight as possible.
It would be cool to have a regression testsuite showing "insecure" code for each class of security problem, and showing that the problem is fixed by the template.
> Secure Electron App
Bit of an oxymoron no ?<p>/facetiousness<p>On a lighter note :<p>> Feature #1<p>> Only load secure content - (Need help!)<p>What kind of help? For this template project ?!