DBSC - Device Bound Session Credentials
A framework-agnostic TypeScript implementation of the W3C Device Bound Session Credentials standard, binding sessions to a device key to blunt cookie and token theft.
Stolen session cookies and bearer tokens are still one of the most reliable ways to take over an account: lift the credential off a machine and you can replay it from anywhere. Device Bound Session Credentials (DBSC) is a W3C standard that closes that gap by cryptographically binding a session to a private key that stays on the originating device, so an exfiltrated cookie alone is no longer enough to ride the session.
This project is a framework-agnostic TypeScript implementation of that standard: the protocol logic, pluggable storage, and web-framework glue needed to adopt DBSC in real services.
What’s in the box
It’s a pnpm monorepo of focused packages:
- Core protocol: the DBSC challenge/binding logic with an in-memory store for getting started and for tests.
- Hono adapter: drop-in middleware for the Hono web framework.
- Redis-backed storage: cluster-safe session storage using a Lua compare-and-set, for multi-instance deployments.
- ESLint rules: lint enforcement that pins JWT algorithms, preventing the classic
algconfusion / downgrade mistakes.
Security posture
Because this is security infrastructure, the repo ships its assurance alongside the code:
- a threat model documenting what DBSC does and does not defend against,
- an assurance case mapping each security claim to the source and tests that back it,
- a security policy with a vulnerability-reporting path.
Getting started
The repo uses pnpm workspaces:
pnpm install
pnpm build
pnpm testSee the repository README for the current package names and per-package usage.