To prevent prototype pollution, you should validate and sanitize any user input before using it to modify prototypes. Additionally, avoid using untrusted data to directly modify object prototypes, and use proper input validation techniques to prevent malicious input from causing unexpected behaviour.
Use Object.create(null) : When creating an object to be used as a map or a data store, initialize it without a prototype. This makes it impossible for an attacker to traverse 'up' the chain to Object.prototype.
Use Map instead of {}: The ES6 Map collection is inherently safer because it doesn't store data as properties on the object itself. It uses a separate internal mechanism, so even if someone pollutes Object.prototype, it won't appear in your Map.get() results.
Always check for 'magic' keys that provide access to the prototype chain: proto, constructor, and prototype.
Object.freeze(): You can freeze the base prototypes at the very start of your application (the entry point). Once frozen, no one—not even your own code—can add or modify properties on them.
Never trust JSON data coming from a user. Use a schema validation library like Zod, Joi, or Ajv. These libraries ensure the object matches a specific shape and strip out any unexpected keys like proto.
Static Analysis (Linting): Use ESLint plugins like eslint-plugin-security. They can flag dangerous patterns like obj[key] = value where key comes from user input.
Dependency Auditing: Regularly run npm audit. Many prototype pollution vulnerabilities are found in popular npm packages (like lodash, extend, or dot-prop). If a vulnerability is found, update to the patched version immediately.