logo

Database

Javascript Hardcoded Session Secret

Description

Detects hardcoded session secrets in Express.js applications when initializing express-session middleware. Using hardcoded session secrets in the code makes the application vulnerable to session hijacking since these secrets could be exposed through source code access and should instead be configured through environment variables.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

    Identifies imports or requires of the 'express-session' package

    Examines calls to express-session initialization

    Checks if the session configuration object contains a hardcoded 'secret' value instead of an environment variable or external configuration

    Reports a vulnerability when a session secret is directly written in the code instead of being loaded from a secure configuration source

Vulnerable code example

const express = require('express');
const session = require('express-session');

// Vulnerable: Secret key hardcoded directly in code
const vulnerable_secret_key = 'hardcoded_secret_key'

app.use(session({  // Vulnerable: Using hardcoded session secret
  secret: 'hardcoded_secret_key',...

✅ Secure code example

const express = require('express');
const session = require('express-session');
require('dotenv').config(); // Load environment variables

const app = express();

if (!process.env.SESSION_SECRET) {
  throw new Error('SESSION_SECRET environment variable is required'); // Validate secret exists...