Static asset with active session detected.

Description

Static assets are often cached by services in front of the application (eg. CDNs). Serving static assets with sessions enabled may lead to Cross-Site Request Forgery (CSRF) attacks that can hijack a user's session.

Remediations

✅ Ensure static resources are handled prior to session initialization:

  // static middleware should be added before session middleware
app.use(express.static(__dirname + "/public"))

app.use(session())

Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.