Static asset with active session detected.
- Rule ID: javascript_express_static_asset_with_session
- Languages: javascript
- Source: static_asset_with_session.yml
Description
Static assets are often cached by services in front of the application (eg. CDNs). Serving static assets with sessions enabled may lead to Cross-Site Request Forgery (CSRF) attacks that can hijack a user's session.
Remediations
✅ Ensure static resources are handled prior to session initialization:
// static middleware should be added before session middleware
app.use(express.static(__dirname + "/public"))
app.use(session())
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_express_static_asset_with_session
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_express_static_asset_with_session
Ready to take the next step? Learn more about Bearer Cloud.