Javascript Manual Csrf Token Handling Axios
Description
This detector identifies JavaScript applications using Axios HTTP client library that implement manual CSRF token handling instead of relying on automatic browser-based CSRF protection mechanisms. Manual CSRF token handling can lead to implementation flaws, token exposure, or bypasses that compromise the application's Cross-Site Request Forgery protection.
Detection Strategy
• Identifies when the Axios HTTP client library is imported or referenced in JavaScript code (either as 'axios' or through aliases)
• Scans all function calls and HTTP request configurations within the codebase for Axios usage patterns
• Detects when Axios requests contain manual CSRF token handling logic such as custom headers, token extraction from DOM elements, or explicit token parameters
• Reports vulnerabilities when Axios configurations show evidence of manual CSRF token implementation rather than relying on browser's automatic cookie-based CSRF protection
• Flags code patterns where developers manually manage CSRF tokens in Axios requests, which increases the risk of implementation errors or security bypasses
Vulnerable code example
import axios from 'axios';
// Extract CSRF token from URL parameters
const token = window.location.search.split('csrfToken=')[1];
// VULNERABLE: CSRF token from URL can be controlled by attacker
axios.post('/api/order', {}, {
headers: {...✅ Secure code example
import axios from 'axios';
// SECURE: Get CSRF token from meta tag set by server
const token = document.querySelector('meta[name="csrf-token"]')?.content;
axios.post('/api/order', {}, {
headers: {
'X-CSRF-Token': token // Token from trusted DOM source...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.