Typescript Hardcoded Session Secret
Description
Detects hardcoded session secrets in Express.js applications. Using a static session secret in production is a security risk as it makes session tokens predictable and could allow attackers to forge valid session identifiers. Session secrets should be randomly generated and provided via environment variables or secure configuration management.
Detection Strategy
• Identifies usage of the express-session module by checking import statements and aliases
• Examines session middleware configuration calls to express-session
• Checks if the 'secret' option is set to a hardcoded/static value in the configuration object
• Reports a vulnerability when a literal string or number is used as the session secret instead of an environment variable or configuration value
Vulnerable code example
import express from 'express';
import session from 'express-session';
const app = express();
// Vulnerable: Secret key hardcoded directly in code
const secretKey: string = 'hardcoded_secret_key';
app.use(session({...✅ Secure code example
import express from 'express';
import session from 'express-session';
import dotenv from 'dotenv';
dotenv.config(); // Load environment variables
const app = express();
// Secure: Load secret from environment variable...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.