Electron

Security Non-Negotiables

• nodeIntegration: false is mandatory — renderer with Node.js access means XSS = full system compromise
• contextIsolation: true is mandatory — separates preload context from renderer
• Whitelist IPC channels explicitly — never forward arbitrary channel names from renderer
• Validate all IPC message content — renderer is untrusted, treat like external API input
• Never use eval() or new Function() in renderer — defeats all security boundaries

Preload Script Rules

• contextBridge.exposeInMainWorld() is the only safe bridge — raw ipcRenderer exposure is vulnerable
• Clone data before passing across bridge — prevents prototype pollution attacks
• Minimal API surface — expose specific functions, not generic send/receive

Architecture Traps

• webPreferences locked after window creation — can't enable nodeIntegration later
• Blocking main process freezes ALL windows — async everything, no sync file operations
• Each BrowserWindow is separate renderer process — can't share JS variables directly
• show: false then ready-to-show — prevents white flash, looks more native

Native Module Pain

• Pre-built native modules won't work — must rebuild for Electron's specific Node version
• electron-rebuild after every Electron upgrade — version mismatch = runtime crash
• N-API modules more stable — survive Electron upgrades better than nan-based

Packaging Pitfalls

• Dev dependencies included by default — production builds bloat without explicit exclusion
• Code signing required for macOS auto-update — unsigned apps can't use Squirrel
• Windows notifications require app.setAppUserModelId() — silent failure without it
• ASAR isn't encryption — source readable with simple tools, don't rely on it for secrets

Platform-Specific Issues

• CORS blocks file:// protocol — use custom protocol (app://) or local server
• Windows needs NSIS or Squirrel for auto-update — installer format matters
• macOS universal binary needs --universal flag — ships both Intel and ARM

Memory and Performance

• Unclosed windows leak memory — call win.destroy() explicitly when done
• Lazy load heavy modules — startup time directly affects perceived quality
• backgroundThrottling: false if timers matter when minimized

Debugging

• Main process: --inspect flag, connect via chrome://inspect
• Renderer: webContents.openDevTools() or keyboard shortcut
• electron-log for persistent logs — console.log vanishes on restart