Static asset with active session detected.


Static assets are often cached by services in front of the application (eg. CDNs). Serving static assets with sessions enabled may lead to Cross-Site Request Forgery (CSRF) attacks that can hijack a user's session.


✅ Ensure static resources are handled prior to session initialization:

  // static middleware should be added before session middleware
app.use(express.static(__dirname + "/public"))


Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.