Cross-site request forgery High

Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability. This can enable an attacker to trick end users into performing unwanted actions while authenticated.

Detector ID
typescript/cross-site-request-forgery@v1.0
Category

Noncompliant example

1import express, { Request, Response } from 'express'
2var app = express()
3
4function crossSiteRequestForgeryNoncompliant() {
5    app.get("/", (req: Request, res: Response) => {
6        // Noncompliant: `sameSite` is set to 'none'.
7        res.cookie('cookieName', 'cookieValue', { sameSite: 'none', secure: true })
8        res.render("index.html")
9    })
10}

Compliant example

1import express, { Request, Response } from 'express'
2var app = express()
3
4function crossSiteRequestForgeryCompliant() {
5    app.get("/", (req: Request, res: Response) => {
6        // Compliant: `sameSite` is set to 'lax'.
7        res.cookie('cookieName', 'cookieValue', { sameSite: 'lax', secure: true })
8
9        res.render("index.html")
10    })
11}