Build Apps That Are Safe From Day One.
Free, open source security libraries that stop common attacks before they reach your users. OWASP aligned and drop in, starting with Node.js.
MIT licensed ยท OWASP aligned ยท Node.js 18+
Login protection: breached password checks, brute force lockout, secure hashing.
- Blocks breached passwords at signup
- Rate limiting and account lockout
- bcrypt and Argon2 hashing built in
Token security: JWT issuance, refresh rotation, and session revocation.
- Access and refresh JWT issuance
- Refresh token rotation (RTR)
- Fail shut verification and revocation
Learn by doing
Browser-based tools to measure your app against OWASP standards and see exactly where your gaps are. No sign-up, no tracking.
OWASP ASVS Explorer
All 17 chapters of the OWASP ASVS 5.0 in plain English. See what each chapter checks, why it matters, filter by level, and track your own coverage.
Explore it free โSecurity Checklist
Pick what you are building: login, API, file uploads, admin panel. Get a tailored OWASP-based checklist, mark what is done, and see exactly where your gaps are.
Try it free โHow Secure Is Your Stack?
10 questions across authentication, sessions, and data handling. Takes 2 minutes. Get a risk score and a prioritised list of what to fix in your stack.
Try it free โTwo libraries. One security standard.
OWASP-aligned, drop-in security for Node.js. Each package owns one job and traces every control to a specific OWASP standard.
owlauth
@restingowlorg/owlauthCredential stuffing prevention, breached-password detection, brute force protection, passwordless magic links and security audit logging in one consistent API.
owltokenguard
@restingowlorg/owltokenguardJWT access and refresh issuance, refresh-token rotation, fail-shut verification and session revocation, with Express and Fastify middleware.
Active Threats
Recent CVE advisories and exploit alerts from the RestingOwl security desk.
Build with the RestingOwl community
Follow the roadmap, help shape new packages, and learn security the practical way. Free and open to every developer.