Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability. This can enable an attacker to trick end users into performing unwanted actions while authenticated.
1import express, { Request, Response } from 'express'
2var app = express()
3
4function crossSiteRequestForgeryNoncompliant() {
5 app.get("/", (req: Request, res: Response) => {
6 // Noncompliant: `sameSite` is set to 'none'.
7 res.cookie('cookieName', 'cookieValue', { sameSite: 'none', secure: true })
8 res.render("index.html")
9 })
10}
1import express, { Request, Response } from 'express'
2var app = express()
3
4function crossSiteRequestForgeryCompliant() {
5 app.get("/", (req: Request, res: Response) => {
6 // Compliant: `sameSite` is set to 'lax'.
7 res.cookie('cookieName', 'cookieValue', { sameSite: 'lax', secure: true })
8
9 res.render("index.html")
10 })
11}