include::../description.adoc[]

As the ``++Math.random()++`` function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead.

include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

* Use a cryptographically secure pseudorandom number generator (CSPRNG) like ``++crypto.getRandomValues()++``.
* Use the generated random values only once.
* You should not expose the generated random value. If you have to store it, make sure that the database or file is secure.

== Sensitive Code Example

----
const val = Math.random(); // Sensitive
// Check if val is used in a security context.
----

== Compliant Solution

[source,javascript]
----
// === Client side ===
const crypto = window.crypto || window.msCrypto;
var array = new Uint32Array(1);
crypto.getRandomValues(array);

// === Server side ===
const crypto = require('crypto');
const buf = crypto.randomBytes(1);
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 8 Dec 2018, 19:30:39 Lars Svensson wrote:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random

https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto

https://nodejs.org/api/crypto.html



include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]