Renderify enforces a security-first execution model. Every RuntimePlan passes through a policy checker before any code runs. This is critical because LLM output is fundamentally untrusted — the model could generate script tags, eval calls, or unsafe network requests.

Three built-in profiles provide graduated security postures:

Tight limits, full integrity enforcement. Best for production, multi-tenant, and externally-facing deployments.

RENDERIFY_SECURITY_PROFILE=strict

Banned source patterns (strict): eval(), new Function(), fetch(), XMLHttpRequest, WebSocket, importScripts, document.cookie, localStorage, sessionStorage, indexedDB, navigator.sendBeacon, child_process, process.env

Moderate limits suitable for most applications. Relaxes integrity requirements while maintaining code safety.

RENDERIFY_SECURITY_PROFILE=balanced

Banned source patterns (balanced): eval(), new Function(), fetch(), XMLHttpRequest, WebSocket, importScripts, document.cookie, localStorage, sessionStorage, child_process

Permissive limits for trusted environments, internal tools, and development.

RENDERIFY_SECURITY_PROFILE=relaxed

Banned source patterns (relaxed): child_process only

The full policy interface:

interface RuntimeSecurityPolicy {
  blockedTags: string[];
  maxTreeDepth: number;
  maxNodeCount: number;
  allowInlineEventHandlers: boolean;
  allowedModules: string[];
  allowedNetworkHosts: string[];
  allowArbitraryNetwork: boolean;
  allowedExecutionProfiles: Array<
    "standard" | "isolated-vm" | "sandbox-worker" | "sandbox-iframe" | "sandbox-shadowrealm"
  >;
  maxTransitionsPerPlan: number;
  maxActionsPerTransition: number;
  maxAllowedImports: number;
  maxAllowedExecutionMs: number;
  maxAllowedComponentInvocations: number;
  allowRuntimeSourceModules: boolean;
  maxRuntimeSourceBytes: number;
  supportedSpecVersions: string[];
  requireSpecVersion: boolean;
  requireModuleManifestForBareSpecifiers: boolean;
  requireModuleIntegrity: boolean;
  allowDynamicSourceImports: boolean;
  sourceBannedPatternStrings: string[];
  maxSourceImportSpecifiers: number;
}

You can override individual policy settings while keeping a base profile:

import { DefaultSecurityChecker } from "@renderify/security";

const checker = new DefaultSecurityChecker();
checker.initialize({
  profile: "balanced",
  overrides: {
    maxTreeDepth: 20,
    maxNodeCount: 1000,
    allowedNetworkHosts: ["ga.jspm.io", "cdn.jspm.io", "my-cdn.example.com"],
    sourceBannedPatternStrings: [
      "\\beval\\s*\\(",
      "\\bnew\\s+Function\\b",
      "\\bcrypto\\b",
    ],
  },
});

Element nodes with blocked tags are rejected:

{ "type": "element", "tag": "script" }  // REJECTED
{ "type": "element", "tag": "iframe" }  // REJECTED
{ "type": "element", "tag": "div" }     // OK

The UI renderer also provides a second layer of tag sanitization, converting blocked tags to <div data-renderify-sanitized-tag="script"></div>.

Module specifiers are validated against the allowlist:

"lodash-es"                          → Checked against allowedModules prefixes
"https://ga.jspm.io/npm:lodash..."   → Host checked against allowedNetworkHosts
"https://evil.com/malware.js"        → REJECTED (host not in allowlist)
"../../../etc/passwd"                 → REJECTED (path traversal)

Plan capabilities are validated against policy limits:

{
  "capabilities": {
    "maxImports": 500, // Checked against policy maxAllowedImports
    "maxExecutionMs": 30000, // Checked against policy maxAllowedExecutionMs
    "maxComponentInvocations": 1000
  }
}

All state paths are checked for prototype pollution:

"user.name"          → OK
"__proto__.polluted"  → REJECTED
"constructor.hack"    → REJECTED
"prototype.inject"    → REJECTED

Source code undergoes static analysis:

• Size limit — source byte count must be within maxRuntimeSourceBytes
• Import count — source import specifiers must be within maxSourceImportSpecifiers
• Banned patterns — regex patterns matched against source (e.g., eval(), fetch())
• Dynamic imports — import() expressions are blocked unless explicitly allowed
• Manifest coverage — bare import specifiers must have manifest entries (when required)

In strict profile:

{
  "moduleManifest": {
    "recharts": {
      "resolvedUrl": "https://ga.jspm.io/npm:recharts@3.3.0/es6/index.js",
      "integrity": "sha384-abc123..." // Required in strict mode
    }
  }
}

Missing manifest entries for bare specifiers or missing integrity hashes for remote modules generate policy violations.

The UI renderer provides additional XSS protection beyond the policy checker (including light DOM + shadow DOM subtree sanitization):

Even if a tag passes the policy check, the renderer blocks: script, style, iframe, object, embed, link, meta, base, form.

Blocked tags are rendered as: <div data-renderify-sanitized-tag="script"></div>

• Event handlers — on* attributes are stripped (converted to runtime event bindings instead)
• URL validation — href and src attributes reject javascript: and data: protocols
• Style validation — inline style values are checked for XSS patterns:
  • expression()
  • javascript:
  • data: (non-image)
  • @import
  • url() (blocked in render layer for defense-in-depth)
  • CSS escape obfuscation patterns
  • Null byte injection

Links with target="_blank" automatically receive rel="noopener noreferrer" to prevent reverse tabnapping.

# Security profile
RENDERIFY_SECURITY_PROFILE=strict|balanced|relaxed

# Runtime manifest enforcement
RENDERIFY_RUNTIME_ENFORCE_MANIFEST=true|false

# Sandbox mode
RENDERIFY_RUNTIME_BROWSER_SANDBOX_MODE=none|worker|iframe|shadowrealm
RENDERIFY_RUNTIME_BROWSER_SANDBOX_TIMEOUT_MS=4000
RENDERIFY_RUNTIME_BROWSER_SANDBOX_FAIL_CLOSED=true|false

For production deployments that require deterministic supplier boundaries, enable:

RENDERIFY_RUNTIME_JSPM_ONLY_STRICT_MODE=true

This preset enforces:

• security profile = strict
• module manifest required for bare specifiers
• integrity required for remote modules
• dependency preflight fail-fast
• fallback CDNs disabled (JSPM-only resolution path)

import { DefaultSecurityChecker } from "@renderify/security";
import type { RuntimePlan } from "@renderify/ir";

const checker = new DefaultSecurityChecker();
checker.initialize({ profile: "balanced" });

const plan: RuntimePlan = {
  /* ... */
};
const result = await checker.checkPlan(plan);

if (!result.safe) {
  console.error("Security issues:", result.issues);
  console.error("Diagnostics:", result.diagnostics);
}

// Check a single module specifier
const moduleCheck = checker.checkModuleSpecifier("https://evil.com/script.js");
console.log(moduleCheck.safe); // false