Not all random values are created equal - for security-related code, you need a specific kind of random value.
A summary of this article, if you don't want to read the entire thing:
- Don't use
Math.random()
. There are extremely few cases where Math.random()
is the right answer. Don't use it, unless you've read this entire article, and determined that it's necessary for your case.
- Don't use
crypto.getRandomBytes
directly. While it's a CSPRNG, it's easy to bias the result when 'transforming' it, such that the output becomes more predictable.
- If you want to generate random tokens or API keys: Use
uuid
, specifically the uuid.v4()
method. Avoid node-uuid
- it's not the same package, and doesn't produce reliably secure random values.
- If you want to generate random numbers in a range: Use
random-number-csprng
.
You should seriously consider reading the entire article, though - it's