Vril.js
The Security-First
React Framework
Post-quantum cryptography, zero-trust membrane, crypto agility, and breakthrough browser hardening — woven into every layer. Zero dependencies. 22 modules. 200+ exports.
Security by Default, Not by Config
Zero-config security. Intuitive APIs. Full TypeScript. Every cryptographic operation uses the Web Crypto API — no polyfills, no dependencies.
1import{createVrilApp}from'vril';23constapp=createVrilApp({4security:{5trustedTypes:true,6apiMembrane:true,7blockedAPIs:['WebTransport'],8csp:{9defaultSrc:["'self'"],10objectSrc:["'none'"],11frameSrc:["'none'"],12},13headers:{14strictTransportSecurity:15'max-age=63072000; preload',16crossOriginEmbedderPolicy:17'credentialless',18},19},20crypto:{21pqcEnabled:true,22hybridMode:true,23kdfIterations:600_000,24},25});22 Modules. One Mission.
Security isn't a feature — it's the foundation. Every module in Vril.js is built with cryptographic integrity and zero-trust principles from the first line.
Post-Quantum Cryptography
ML-KEM-768 (FIPS 203) and ML-DSA-65 (FIPS 204) with hybrid key exchange. Quantum-resistant by default.
Hybrid Key Exchange
X25519 + ML-KEM-768 hybrid KEM. Classical + post-quantum security in every handshake. Belt and suspenders.
Crypto Agility
NIST 2035 migration paths built in. Algorithm registry, versioning, and automated migration — zero downtime.
ΩVault Encryption
AES-256-GCM + PBKDF2-SHA-512 at 600K iterations. Zero-knowledge client-side encryption with visual KDF progress.
ΩSignal Reactivity
Fine-grained reactive primitives — signal, computed, effect, batch, untrack — with auto dependency tracking. Zero deps.
Zero-Trust Membrane
Trusted Types, API membrane blocking, DOM XSS prevention. Installed at document-start before any app code runs.
Secure SSR
Streaming SSR with SHA-256 integrity validation. Selective hydration. RSC deserialization with type allowlisting.
Edge Runtime
Edge KV, Geo, and Security primitives. Bot detection, IP allowlist/blocklist, edge rate limiting. Multi-CDN.
Build Security
20-point security audit. SBOM generation (CycloneDX). SRI multi-hash. Sigstore signing. Build integrity verification.
Plugin Architecture
Dependency-aware plugin registry. Integrity verification. Permission sandboxing. Lifecycle hooks and middleware chain.
Type-Safe API Routes
Zero-dep schema validation. Rate limiting. CSRF protection. Versioning. Composable middleware chain.
RBAC & Auth Primitives
Session management with HMAC-SHA-256. JWT-like tokens via Web Crypto. PBKDF2 password hashing. Hierarchical RBAC.
Five Layers of Zero-Trust
From browser hardening to build integrity, every layer is enforced by default. No opt-in required. No configuration needed.
Build-Time Integrity
Application Security
Cryptographic Layer
Transport Security
Browser Hardening
Why Vril.js?
No other framework ships with post-quantum cryptography, zero-trust security, and crypto agility built in.
| Feature | Next.js | Remix | Astro | Vril.js |
|---|---|---|---|---|
| PQC Support | ✗ | ✗ | ✗ | ✓ |
| Crypto Agility | ✗ | ✗ | ✗ | ✓ |
| Zero-Trust Membrane | ✗ | ✗ | ✗ | ✓ |
| Built-in Encryption | ✗ | ✗ | ✗ | ✓ |
| Hybrid KEM | ✗ | ✗ | ✗ | ✓ |
| SSR Integrity Validation | ✗ | ✗ | ✗ | ✓ |
| Build Security Audit | ⚠ | ✗ | ✗ | ✓ |
| Edge Runtime Security | ⚠ | ✗ | ✗ | ✓ |
| Crypto Algorithm Registry | ✗ | ✗ | ✗ | ✓ |
| SBOM Generation | ✗ | ✗ | ✗ | ✓ |
22 Modules. Zero Dependencies.
Every module is hand-crafted with zero external dependencies. All crypto uses the Web Crypto API. All streaming uses Web Streams.
Core
4Security
7Data
4Server
5Platform
6Deploy in 60 Seconds
One command. Zero config. Every security feature enabled by default. From zero to production-grade.