Vril.js
The Security-First
React Framework
Post-quantum cryptography, zero-trust membrane, crypto agility, and breakthrough browser hardening — woven into every layer. Zero dependencies. 22 modules. 200+ exports.
Security by Default, Not by Config
Zero-config security. Intuitive APIs. Full TypeScript. Native cryptographic primitives use the Web Crypto API — no polyfills, no dependencies.
1import{createVrilApp}from'vril';23constapp=createVrilApp({4security:{5trustedTypes:true,6apiMembrane:true,7blockedAPIs:['WebTransport'],8csp:{9defaultSrc:["'self'"],10objectSrc:["'none'"],11frameSrc:["'none'"],12},13headers:{14strictTransportSecurity:15'max-age=63072000; preload',16crossOriginEmbedderPolicy:17'credentialless',18},19},20crypto:{21pqcEnabled:true,22hybridMode:true,23kdfIterations:600_000,24},25});22 Modules. One Mission.
Security isn't a feature — it's the foundation. Every module in Vril.js is built with cryptographic integrity and zero-trust principles from the first line.
Post-Quantum Cryptography
Bundled native ML-KEM, ML-DSA, and SLH-DSA with FIPS 203/204/205 conformance checks and in-tree SHA-3/SHAKE foundations.
Hybrid Key Exchange
X25519 + bundled ML-KEM hybrid KEM with SHA-256 combiner and provider override support.
Crypto Agility
NIST 2035 migration paths built in. Algorithm registry, versioning, and automated migration — zero downtime.
ΩVault Encryption
AES-256-GCM + PBKDF2-SHA-512 at 600K iterations. Zero-knowledge client-side encryption with visual KDF progress.
ΩSignal Reactivity
Fine-grained reactive primitives — signal, computed, effect, batch, untrack — with auto dependency tracking. Zero deps.
Zero-Trust Membrane
Trusted Types, API membrane blocking, DOM XSS prevention. Installed at document-start before any app code runs.
Secure SSR
Streaming SSR with SHA-256 integrity validation. Selective hydration. RSC deserialization with type allowlisting.
Edge Runtime
Edge KV, Geo, and Security primitives. Bot detection, IP allowlist/blocklist, edge rate limiting. Multi-CDN.
Build Security
20-point security audit. SBOM generation (CycloneDX). SRI multi-hash. Sigstore signing. Build integrity verification.
Plugin Architecture
Dependency-aware plugin registry. Integrity verification. Permission sandboxing. Lifecycle hooks and middleware chain.
Type-Safe API Routes
Zero-dep schema validation. Rate limiting. CSRF protection. Versioning. Composable middleware chain.
RBAC & Auth Primitives
Session management with HMAC-SHA-256. JWT-like tokens via Web Crypto. PBKDF2 password hashing. Hierarchical RBAC.
Five Layers of Zero-Trust
From browser hardening to build integrity, every layer is enforced by default. No opt-in required. No configuration needed.
Build-Time Integrity
Application Security
Cryptographic Layer
Transport Security
Browser Hardening
Why Vril.js?
Vril.js ships provider-gated post-quantum interfaces, zero-trust security, and crypto agility built in.
| Feature | Next.js | Remix | Astro | Vril.js |
|---|---|---|---|---|
| PQC Support | ✗ | ✗ | ✗ | ✓ |
| Crypto Agility | ✗ | ✗ | ✗ | ✓ |
| Zero-Trust Membrane | ✗ | ✗ | ✗ | ✓ |
| Built-in Encryption | ✗ | ✗ | ✗ | ✓ |
| Hybrid KEM | ✗ | ✗ | ✗ | ✓ |
| SSR Integrity Validation | ✗ | ✗ | ✗ | ✓ |
| Build Security Audit | ⚠ | ✗ | ✗ | ✓ |
| Edge Runtime Security | ⚠ | ✗ | ✗ | ✓ |
| Crypto Algorithm Registry | ✗ | ✗ | ✗ | ✓ |
| SBOM Generation | ✗ | ✗ | ✗ | ✓ |
22 Modules. Zero Dependencies.
Every module is hand-crafted with zero bundled crypto dependencies. Native primitives use Web Crypto, and PQC is provider-gated for authentic implementations.
Core
4Security
7Data
4Server
5Platform
6Deploy in 60 Seconds
One command. Zero config. Every security feature enabled by default. From zero to production-grade.