Some words about security.js

security.js refers to the collection of submodules that are generated and preconfigured from the interpreted policy. The file is built at the root of the project directory and should not be moved. When all components in security.json are enabled, it looks like this:

module.exports = {
  dependencies: require('./security/dependencies'),
  auth: require('./security/authentication'),
  fireAuth: require('./security/fire_auth'),
  secrets: require('./security/secrets'),
  forms: require('./security/forms'),
  sessions: require('./security/sessions'),
  api: require('./security/api'),
  headers: require('./security/headers'),
  cache: require('./security/cache'),
  validation: require('./security/validation'),
  database: require('./security/database'),
  connections: require('./security/connections'),
  cors: require('./security/cors'),logging: require('./security/logging')

To make use of the methods in each of the submodules, you’ll need to require/import them into your application like this:

const security = require('./security')
let sessions = security.sessions

Adding/Removing Submodules

As previously stated, security.js is the actual boilerplate code that is generated once you configure your security policy (security.json). To add or remove submodules from security.js, you should enable (or disable) the component in security.json and use the _spartan --force to rewrite security.js and associated submodules like this:

// in security.json
"appDependencies": {
    "enabled": true, // enable or disable this subcomponent by toggling true or false
    "compensatingControl": false,


Making updates to the security policy directly will not translate to updates to the security.js file, and vice versa.

  1. If you want policy updates to flow to the code, you’ll need to run _spartan -u | --update. This will take you back into the questionnaire. Once complete, it will completely overwrite security.js with a new version reflecting the updated policy configuration.
  2. Alternatively, you can also run _spartan -f | --force after updating the policy directly. _spartan will parse security.json and will overwrite the existing security.js file with a new version reflecting the most current policy.