Typescript Session Cookie Secure False
Description
Detects insecure session cookie configurations in Express.js applications where cookies are not set with the 'secure' flag. When cookies lack the secure flag, they can be transmitted over unencrypted HTTP connections, potentially exposing sensitive session data to interception by attackers.
Detection Strategy
• Check for imports or requires of the 'express-session' package
• Examine session middleware configuration objects passed to express-session
• Flag as vulnerable if the session configuration either explicitly sets 'secure: false' or omits the secure flag entirely
• Alert when the cookie security configuration could allow transmission over non-HTTPS connections
Vulnerable code example
import express from 'express';
import session from 'express-session';
const app = express();
// Vulnerable: Missing security options and using insecure defaults
app.use(session({
resave: false,...✅ Secure code example
import express from 'express';
import session from 'express-session';
const app = express();
// Secure session configuration with all recommended security options
app.use(session({
secret: process.env.SESSION_SECRET, // Store secret in environment variable...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.