Security and permissions [proxy]

Deno is secure by default. Unless you specifically enable it, a program run with Deno has no access to sensitive APIs, such as file system access, network connectivity, or environment access. You must explicitly grant access to these resources with command line flags or with a runtime permission prompt. This is a major difference from Node, where dependencies are automatically granted full access to all system I/O, potentially introducing hidden vulnerabilities into your project.

Before using Deno to run completely untrusted code, read the section on executing untrusted code below.

Key Principles Jump to heading

Before diving into the specifics of permissions, it's important to understand the key principles of Deno's security model:

No access to I/O by default: Code executing in a Deno runtime has no access to read or write arbitrary files on the file system, to make network requests or open network listeners, to access environment variables, or to spawn subprocesses.
No limits on the execution of code at the same privilege level: Deno allows the execution of any code (JS/TS/Wasm) via multiple means, including eval, new Function, dynamic imports and web workers at the same privilege level with little restriction as to where the code originates (network, npm, JSR, etc).
Multiple invocations of the same application can share data: Deno provides a mechanism for multiple invocations of the same application to share data, through built in caching and KV storage APIs. Different applications can not see each other's data.
All code executing on the same thread shares the same privilege level: All code executing on the same thread shares the same privilege level. It is not possible for different modules to have different privilege levels within the same thread.
Code can not escalate its privileges without user consent: Code executing in a Deno runtime can not escalate its privileges without the user agreeing explicitly to an escalation via interactive prompt or a invocation time flag.
The initial static module graph can import local files without restrictions: All files that are imported in the initial static module graph can be imported without restrictions, so even if an explicit read permission is not granted for that file. This does not apply to any dynamic module imports.

These key principles are designed to provide an environment where a user can execute code with minimal risk of harm to the host machine or network. The security model is designed to be simple to understand and to provide a clear separation of concerns between the runtime and the code executing within it. The security model is enforced by the Deno runtime, and is not dependent on the underlying operating system.

Permissions Jump to heading

By default, access to most system I/O is denied. There are some I/O operations that are allowed in a limited capacity, even by default. These are described below.

To enable these operations, the user must explicitly grant permission to the Deno runtime. This is done by passing the --allow-read, --allow-write, --allow-net, --allow-env, and --allow-run flags to the deno command.

During execution of a script, a user can also explicitly grant permission to specific files, directories, network addresses, environment variables, and subprocesses when prompted by the runtime. Prompts are not shown if stdout/stderr are not a TTY, or when the --no-prompt flag is passed to the deno command.

Users can also explicitly disallow access to specific resources by using the --deny-read, --deny-write, --deny-net, --deny-env, and --deny-run flags. These flags take precedence over the allow flags. For example, if you allow network access but deny access to a specific domain, the deny flag will take precedence.

Deno also provides a --allow-all flag that grants all permissions to the script. This disables the security sandbox entirely, and should be used with caution. The --allow-all has the same security properties as running a script in Node.js (ie none).

Definition: -A, --allow-all

deno run -A script.ts
deno run --allow-all script.ts

By default, Deno will not generate a stack trace for permission requests as it comes with a hit to performance. Users can enable stack traces with the DENO_TRACE_PERMISSIONS environment variable to 1.

Deno can also generate an audit log of all accessed permissions; this can be achieved using the DENO_AUDIT_PERMISSIONS environment variable to a path. This works regardless if permissions are allowed or not. The output is in JSONL format, where each line is an object with the following keys:

v: the version of the format
datetime: when the permission was accessed, in RFC 3339 format
permission: the name of the permission
value: the value that the permission was accessed with, or null if it was accessed with no value

A schema for this can be found in permission-audit.v1.json.

In addition, this env var can be combined with the above-mentioned DENO_TRACE_PERMISSIONS, which then adds a new stack field to the entries which is an array contain all the stack trace frames.

Configuration file Jump to heading

Deno supports storing permissions in the deno.json/deno.jsonc file. Read more under configuration.

File system access Jump to heading

By default, executing code can not read or write arbitrary files on the file system. This includes listing the contents of directories, checking for the existence of a given file, and opening or connecting to Unix sockets.

Access to read files is granted using the --allow-read (or -R) flag, and access to write files is granted using the --allow-write (or -W) flag. These flags can be specified with a list of paths to allow access to specific files or directories and any subdirectories in them.

Definition: --allow-read[=<PATH>...] or -R[=<PATH>...]

# Allow all reads from file system
deno run -R script.ts
# or 
deno run --allow-read script.ts

# Allow reads from file foo.txt and bar.txt only
deno run --allow-read=foo.txt,bar.txt script.ts

# Allow reads from any file in any subdirectory of ./node_modules
deno run --allow-read=node_modules script.ts

Definition: --deny-read[=<PATH>...]

# Allow reading files in /etc but disallow reading /etc/hosts
deno run --allow-read=/etc --deny-read=/etc/hosts script.ts

# Deny all read access to disk, disabling permission prompts for reads.
deno run --deny-read script.ts

Definition: --allow-write[=<PATH>...] or -W[=<PATH>...]

# Allow all writes to file system
deno run -W script.ts
# or 
deno run --allow-write script.ts

# Allow writes to file foo.txt and bar.txt only
deno run --allow-write=foo.txt,bar.txt script.ts

Definition: --deny-write[=<PATH>...]

# Allow reading files in current working directory 
# but disallow writing to ./secrets directory.
deno run --allow-write=./ --deny-write=./secrets script.ts

# Deny all write access to disk, disabling permission prompts.
deno run --deny-write script.ts

Some APIs in Deno are implemented using file system operations under the hood, even though they do not provide direct read/write access to specific files. These APIs read and write to disk but do not require any explicit read/write permissions. Some examples of these APIs are:

localStorage
Deno KV
caches
Blob

Because these APIs are implemented using file system operations, users can use them to consume file system resources like storage space, even if they do not have direct access to the file system.

During module loading, Deno can load files from disk. This sometimes requires explicit permissions, and sometimes is allowed by default:

All files that are imported from the entrypoint module in a way that they can be statically analyzed are allowed to be read by default. This includes static import statements and dynamic import() calls where the argument is a string literal that points to a specific file or a directory of files. The full list of files that are in this list can be printed using deno info <entrypoint>.
Files that are dynamically imported in a way that can not be statically analyzed require runtime read permissions.
Files inside of a node_modules/ directory are allowed to be read by default.

When fetching modules from the network, or when transpiling code from TypeScript to JavaScript, Deno uses the file system as a cache. This means that file system resources like storage space can be consumed by Deno even if the user has not explicitly granted read/write permissions.

Network access Jump to heading

By default, executing code can not make network requests, open network listeners or perform DNS resolution. This includes making HTTP requests, opening TCP/UDP sockets, and listening for incoming connections on TCP or UDP.

Network access is granted using the --allow-net flag. This flag can be specified with a list of IP addresses or hostnames to allow access to specific network addresses.

Definition: --allow-net[=<IP_OR_HOSTNAME>...] or -N[=<IP_OR_HOSTNAME>...]

# Allow network access
deno run -N script.ts
# or
deno run --allow-net script.ts

# Allow network access to github.com and jsr.io
deno run --allow-net=github.com,jsr.io script.ts

# A hostname at port 80:
deno run --allow-net=example.com:80 script.ts

# An IPv4 address on port 443
deno run --allow-net=1.1.1.1:443 script.ts

# An IPv6 address, all ports allowed
deno run --allow-net=[2606:4700:4700::1111] script.ts

Definition: --deny-net[=<IP_OR_HOSTNAME>...]

# Allow access to network, but deny access 
# to github.com and jsr.io
deno run --allow-net --deny-net=github.com,jsr.io script.ts

# Deny all network access, disabling permission prompts.
deno run --deny-net script.ts

During module loading, Deno can load modules from the network. By default Deno allows loading modules from the following locations using both static and dynamic imports, without requiring explicit network access:

https://deno.land/
https://jsr.io/
https://esm.sh/
https://raw.githubusercontent.com
https://gist.githubusercontent.com

These locations are trusted "public good" registries that are not expected to enable data exfiltration through URL paths. You can add more trusted registries using the --allow-import flag.

In addition Deno allows importing any NPM package through npm: specifiers.

Deno also sends requests to https://dl.deno.land/ at most once a day to check for updates to the Deno CLI. This can be disabled using DENO_NO_UPDATE_CHECK=1 environment var.

Environment variables Jump to heading

By default, executing code can not read or write environment variables. This includes reading environment variables, and setting new values.

Access to environment variables is granted using the --allow-env flag. This flag can be specified with a list of environment variables to allow access to specific environment variables. Starting with Deno v2.1, you can now specify suffix wildcards to allow “scoped” access to environmental variables.

Definition: --allow-env[=<VARIABLE_NAME>...] or -E[=<VARIABLE_NAME>...]

# Allow access to all environment variables
deno run -E script.ts
# or
deno run --allow-env script.ts

# Allow HOME and FOO environment variables
deno run --allow-env=HOME,FOO script.ts

# Allow access to all environment variables starting with AWS_
deno run --allow-env="AWS_*" script.ts

Definition: --deny-env[=<VARIABLE_NAME>...]

# Allow all environment variables except 
# AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
deno run \
  --allow-env \
  --deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY \
  script.ts

# Deny all access to env variables, disabling permission prompts.
deno run --deny-env script.ts

Note for Windows users: environment variables are case insensitive on Windows, so Deno also matches them case insensitively (on Windows only).

Deno reads certain environment variables on startup, such as DENO_DIR and NO_COLOR (see the full list).

The value of the NO_COLOR environment variable is visible to all code running in the Deno runtime, regardless of whether the code has been granted permission to read environment variables.

System Information Jump to heading

By default, executing code can not access system information, such as the operating system release, system uptime, load average, network interfaces, and system memory information.

Access to system information is granted using the --allow-sys flag. This flag can be specified with a list of allowed interfaces from the following list: hostname, osRelease, osUptime, loadavg, networkInterfaces, systemMemoryInfo, uid, and gid. These strings map to functions in the Deno namespace that provide OS info, like Deno.systemMemoryInfo.

Definition: --allow-sys[=<API_NAME>...] or -S[=<API_NAME>...]

# Allow all system information APIs
deno run -S script.ts
# or
deno run --allow-sys script.ts

# Allow systemMemoryInfo and osRelease APIs
deno run --allow-sys="systemMemoryInfo,osRelease" script.ts

Definition: --deny-sys[=<API_NAME>...]

# Allow accessing all system information but "networkInterfaces"
deno run --allow-sys --deny-sys="networkInterfaces" script.ts

# Deny all access to system information, disabling permission prompts.
deno run --deny-sys script.ts

Subprocesses Jump to heading

Code executing inside of a Deno runtime can not spawn subprocesses by default, as this would constitute a violation of the principle that code can not escalate its privileges without user consent.

Deno provides a mechanism for executing subprocesses, but this requires explicit permission from the user. This is done using the --allow-run flag.

Any subprocesses you spawn from your program run independently from the permissions granted to the parent process. This means the child processes can access system resources regardless of the permissions you granted to the Deno process that spawned it. This is often referred to as privilege escalation.

Because of this, make sure you carefully consider if you want to grant a program --allow-run access: it essentially invalidates the Deno security sandbox. If you really need to spawn a specific executable, you can reduce the risk by limiting which programs a Deno process can start by passing specific executable names to the --allow-run flag.

Definition: --allow-run[=<PROGRAM_NAME>...]

# Allow running all subprocesses
deno run --allow-run script.ts

# Allow running "curl" and "whoami" subprocesses
deno run --allow-run="curl,whoami" script.ts

Caution

You probably don't ever want to use --allow-run=deno unless the parent process has --allow-all, as being able to spawn a deno process means the script can spawn another deno process with full permissions.

Definition: --deny-run[=<PROGRAM_NAME>...]

# Allow running running all programs, but "whoami" and "ps".
deno run --allow-run --deny-run="whoami,ps" script.ts

# Deny all access for spawning subprocessing, disabling
# permission prompts.
deno run --deny-run script.ts

By default npm packages will not have their post-install scripts executed during installation (like with deno install), as this would allow arbitrary code execution. When running with the --allow-scripts flag, post-install scripts for npm packages will be executed as a subprocess.

FFI (Foreign Function Interface) Jump to heading

Deno provides an FFI mechanism for executing code written in other languages, such as Rust, C, or C++, from within a Deno runtime. This is done using the Deno.dlopen API, which can load shared libraries and call functions from them.

By default, executing code can not use the Deno.dlopen API, as this would constitute a violation of the principle that code can not escalate it's privileges without user consent.

In addition to Deno.dlopen, FFI can also be used via Node-API (NAPI) native addons. These are also not allowed by default.

Both Deno.dlopen and NAPI native addons require explicit permission using the --allow-ffi flag. This flag can be specified with a list of files or directories to allow access to specific dynamic libraries.

Like subprocesses, dynamic libraries are not run in a sandbox and therefore do not have the same security restrictions as the Deno process they are being loaded into. Therefore, use with extreme caution.

Definition: --allow-ffi[=<PATH>...]

# Allow loading dynamic all libraries
deno run --allow-ffi script.ts

# Allow loading dynamic libraries from a specific path
deno run --allow-ffi=./libfoo.so script.ts

Definition: --deny-ffi[=<PATH>...]

# Allow loading all dynamic libraries, but ./libfoo.so
deno run --allow-ffi --deny-ffi=./libfoo.so script.ts

# Deny loading all dynamic libraries, disabling permission prompts.
deno run --deny-ffi script.ts

Importing from the Web Jump to heading

Allow importing code from the Web. By default Deno limits hosts you can import code from. This is true for both static and dynamic imports.

If you want to dynamically import code, either using the import() or the new Worker() APIs, additional permissions need to be granted. Importing from the local file system requires --allow-read, but Deno also allows to import from http: and https: URLs. In such case you will need to specify an explicit --allow-import flag:

# allow importing code from `https://example.com`
$ deno run --allow-import=example.com main.ts

By default Deno allows importing sources from following hosts:

deno.land
esm.sh
jsr.io
cdn.jsdelivr.net
raw.githubusercontent.com
gist.githubusercontent.com

Imports are only allowed using HTTPS.

This allow list is applied by default for static imports, and by default to dynamic imports if the --allow-import flag is specified.

# allow dynamically importing code from `https://deno.land`
$ deno run --allow-import main.ts

Note that specifying an allow list for --allow-import will override the list of default hosts.

Evaluation of code Jump to heading

Deno sets no limits on the execution of code at the same privilege level. This means that code executing in a Deno runtime can use eval, new Function, or even dynamic import or web workers to execute arbitrary code with the same privilege level as the code that called eval, new Function, or the dynamic import or web worker.

This code can be hosted on the network, be in a local file (if read permissions are granted), or be stored as plain text in a string inside of the code that called eval, new Function, or the dynamic import or web worker.

Executing untrusted code Jump to heading

While Deno provides security features that are designed to protect the host machine and network from harm, untrusted code is still scary. When executing untrusted code, it is important to have more than one layer of defense. Some suggestions for executing untrusted code are outlined below, and we recommend using all of these when executing arbitrary untrusted code:

Run deno with limited permissions and determine upfront what code actually needs to run (and prevent more code being loaded using --frozen lockfile and --cached-only).
Use OS provided sandboxing mechanisms like chroot, cgroups, seccomp, etc.
Use a sandboxed environment like a VM or MicroVM (gVisor, Firecracker, etc).

Permission broker Jump to heading

For centralized and policy-driven permission decisions, Deno can delegate all permission checks to an external broker process. Enable this by setting the DENO_PERMISSION_BROKER_PATH environment variable to a path that Deno will use to connect to the broker:

On Unix-like systems: a Unix domain socket path (for example, /tmp/deno-perm.sock).
On Windows: a named pipe (for example, \\.\pipe\deno-perm-broker).

When a permission broker is active:

All --allow-* and --deny-* flags are ignored.
Interactive permission prompts are not shown (equivalent to non-interactive mode).
Every permission check is sent to the broker; the broker must reply with a decision for each request.

If anything goes wrong during brokering (for example: Deno cannot connect to the socket/pipe, messages are malformed, arrive out of order, IDs do not match, or the connection closes unexpectedly), Deno immediately terminates the process to preserve integrity and prevent permission escalation.

The request/response message shapes are versioned and defined by JSON Schemas:

Request schema: permission-broker-request.v1.json
Response schema: permission-broker-response.v1.json

Each request contains a version (v), the Deno process ID (pid), a unique monotonic request id, a timestamp (datetime, RFC 3339), the permission name, and an optional value depending on permission type. The response must echo the id and include a result of either "allow" or "deny". When denied, a human-readable reason may be included.

Example message flow:

-> req {"v":1,"pid":10234,"id":1,"datetime":"2025-01-01T00:00:00.000Z","permission":"read","value":"./run/permission_broker/scratch.txt"}
<- res {"id":1,"result":"allow"}
-> req {"v":1,"pid":10234,"id":2,"datetime":"2025-01-01T00:00:01.000Z","permission":"read","value":"./run/permission_broker/scratch.txt"}
<- res {"id":2,"result":"allow"}
-> req {"v":1,"pid":10234,"id":3,"datetime":"2025-01-01T00:00:02.000Z","permission":"read","value":"./run/permission_broker/log.txt"}
<- res {"id":3,"result":"allow"}
-> req {"v":1,"pid":10234,"id":4,"datetime":"2025-01-01T00:00:03.000Z","permission":"write","value":"./run/permission_broker/log.txt"}
<- res {"id":4,"result":"allow"}
-> req {"v":1,"pid":10234,"id":5,"datetime":"2025-01-01T00:00:04.000Z","permission":"env","value":null}
<- res {"id":5,"result":"deny","reason":"Environment access is denied."}

Advanced use only

Using a permission broker changes Deno’s decision authority: CLI flags and prompts no longer apply. Ensure your broker process is resilient, audited, and available before enabling DENO_PERMISSION_BROKER_PATH.