You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
See [Hooks Configuration Reference](#hooks-configuration-reference)
### security
NativeScript supports dynamic `import()` from remote URLs. This is useful during development but carries security implications in production since NativeScript code has **direct access to native platform APIs** (file system, keychain, network, camera, etc.).
| Mode | Remote Modules |
|------|----------------|
| **Debug** | ✅ Always allowed |
| **Production** | ❌ Blocked by default |
#### Enabling Remote Modules in Production
If you need remote ES modules in production, explicitly opt-in:
```typescript
import { NativeScriptConfig } from '@nativescript/core'
export default {
id: 'org.nativescript.myapp',
appPath: 'src',
security: {
allowRemoteModules: true
}
} as NativeScriptConfig
```
#### Using an Allowlist (Recommended)
Restrict to specific trusted origins:
```typescript
export default {
// ...
security: {
allowRemoteModules: true,
remoteModuleAllowlist: [
'https://cdn.yourcompany.com/modules/',
'https://esm.sh/@yourorg/'
]
}
} as NativeScriptConfig
```
The allowlist uses **prefix matching** — a URL is allowed if it starts with any entry.
#### Security Best Practices
- **Keep production secure by default** - Don't enable unless necessary
- **Use narrow allowlists** - Specific paths, not broad domains
- **Pin versions in URLs** - Use immutable, versioned URLs
- **Never use user-controlled URLs** - Injection vulnerability risk
For comprehensive security guidance, see the [Security Guide](/guide/security).
## CLI Configuration Reference
### cli.packageManager
Expand DownExpand Up
@@ -482,3 +536,94 @@ Available hooks (prefix with `before-` or `after-`):
- `watchPatterns` - Set up watch patterns, runs during `watch` hook
<!-- TODO: check if we are missing some hooks here, ie. before-gradleArgs? -->
## Security Configuration Reference
NativeScript provides security configuration options to control sensitive runtime behaviors, particularly around remote code execution via ES module imports.
::: tip
For comprehensive security guidance and best practices, see the [Security Guide](/guide/security).
:::
### security.allowRemoteModules
```ts
security.allowRemoteModules: boolean = false;
```
Enable remote ES module loading in production builds.
| **Production** (Release builds) | ❌ Blocked by default |
When `false` (the default), any attempt to `import("https://...")` in production will throw an error. This is a security measure because NativeScript code has **direct access to native platform APIs** (file system, keychain, network, camera, etc.).
```ts
export default {
// ...
security: {
allowRemoteModules: true
}
} as NativeScriptConfig
```
::: warning Security Implications
Remote modules bypass App Store/Play Store code review and can access any native API your app has access to. Only enable this if you have a specific, justified need and understand the implications.
:::
### security.remoteModuleAllowlist
```ts
security.remoteModuleAllowlist: string[] = [];
```
Restrict remote modules to specific URL prefixes. Only used when `allowRemoteModules` is `true`.
The allowlist uses **prefix matching** — a URL is allowed if it starts with any entry in the list.
If the allowlist is empty or not provided (and `allowRemoteModules` is `true`), all HTTPS URLs are allowed — this is **not recommended** for production.
### Error Messages
When remote module loading is blocked, you'll see clear error messages:
```
// Remote modules disabled
Remote ES modules are not allowed in production. URL: https://example.com/mod.js.
Enable via security.allowRemoteModules in nativescript.config.ts
// URL not in allowlist
Remote URL not in security.remoteModuleAllowlist: https://untrusted.com/mod.js
```
### Best Practices
1. **Keep production secure by default** — Don't enable `allowRemoteModules` unless necessary
2. **Use narrow allowlists** — Specific paths, not broad domains
3. **Pin versions in URLs** — Use immutable, versioned URLs over mutable endpoints
4. **Never use user-controlled URLs** — Avoid injection vulnerabilities
For more details on security implications and additional best practices, see the [Security Guide](/guide/security).
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.