Cross-Site Request Forgery (CSRF) Due to Missing CSRF Middleware in Express

High Risk Cross-Site Request Forgery

JavaScriptExpressCSRFSession ManagementWeb SecurityMiddleware

What it is

Express applications without CSRF protection are vulnerable to Cross-Site Request Forgery attacks, where malicious websites can perform unauthorized actions on behalf of authenticated users by exploiting their active session cookies.

Language:

const express = require('express');
const session = require('express-session');
const app = express();

app.use(express.json());
app.use(session({
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false
}));

// Vulnerable endpoints without CSRF protection
app.post('/change-password', (req, res) => {
    const { newPassword } = req.body;
    
    if (req.session.userId) {
        updatePassword(req.session.userId, newPassword);
        res.json({ success: true });
    } else {
        res.status(401).json({ error: 'Not authenticated' });
    }
});

app.delete('/delete-account', (req, res) => {
    if (req.session.userId) {
        deleteUser(req.session.userId);
        res.json({ success: true });
    } else {
        res.status(401).json({ error: 'Not authenticated' });
    }
});

const express = require('express');
const csrf = require('csurf');
const session = require('express-session');
const app = express();

app.use(express.json());
app.use(session({
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
    cookie: {
        secure: process.env.NODE_ENV === 'production',
        httpOnly: true,
        maxAge: 30 * 60 * 1000,
        sameSite: 'strict'
    }
}));

// CSRF protection middleware
const csrfProtection = csrf({
    cookie: {
        httpOnly: true,
        secure: process.env.NODE_ENV === 'production',
        sameSite: 'strict'
    }
});

app.use(csrfProtection);

// CSRF token endpoint
app.get('/csrf-token', (req, res) => {
    res.json({ csrfToken: req.csrfToken() });
});

// Protected endpoints with CSRF validation
app.post('/change-password', (req, res) => {
    const { newPassword } = req.body;
    
    if (req.session.userId) {
        // Additional validation
        if (!newPassword || newPassword.length < 8) {
            return res.status(400).json({ error: 'Password too weak' });
        }
        
        updatePassword(req.session.userId, newPassword);
        res.json({ success: true });
    } else {
        res.status(401).json({ error: 'Not authenticated' });
    }
});

app.delete('/delete-account', (req, res) => {
    if (req.session.userId) {
        // Additional confirmation could be required
        deleteUser(req.session.userId);
        req.session.destroy();
        res.json({ success: true });
    } else {
        res.status(401).json({ error: 'Not authenticated' });
    }
});

💡 Why This Fix Works

The vulnerable version lacks CSRF protection, making it susceptible to cross-site request forgery attacks. The secure version implements proper CSRF middleware and token validation.

Why it happens

Express applications that don't implement CSRF protection middleware, leaving state-changing endpoints vulnerable to cross-site requests.

Root causes

Missing CSRF Middleware

Express applications that don't implement CSRF protection middleware, leaving state-changing endpoints vulnerable to cross-site requests.

Preview example – JAVASCRIPT

const express = require('express');
const session = require('express-session');
const app = express();

// Session configured but no CSRF protection
app.use(session({
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false
}));

// Vulnerable: State-changing endpoint without CSRF protection
app.post('/transfer-money', (req, res) => {
    const { toAccount, amount } = req.body;
    
    if (req.session.userId) {
        // Process money transfer - vulnerable to CSRF!
        transferMoney(req.session.userId, toAccount, amount);
        res.json({ success: true });
    } else {
        res.status(401).json({ error: 'Not authenticated' });
    }
});

Fixes

Implement CSRF Middleware

Add CSRF protection middleware to validate tokens on state-changing requests.

Detect This Vulnerability in Your Code

Sourcery automatically identifies cross-site request forgery (csrf) due to missing csrf middleware in express and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities

Cross-Site Request Forgery (CSRF) Due to Missing CSRF Middleware in Express

What it is

💡 Why This Fix Works

Why it happens

Root causes

Missing CSRF Middleware

Fixes

Implement CSRF Middleware

Cross-Site Request Forgery (CSRF) Due to Disabled CSRF Protection in Spring Security

Weak Password Storage and Validation

Session Fixation Attack Vulnerabilities in Web Applications

Detect This Vulnerability in Your Code

Cross-Site Request Forgery (CSRF) Due to Missing CSRF Middleware in Express

What it is

💡 Why This Fix Works

Why it happens

Root causes

Missing CSRF Middleware

Fixes

Implement CSRF Middleware

Related Vulnerabilities

Cross-Site Request Forgery (CSRF) Due to Disabled CSRF Protection in Spring Security

Weak Password Storage and Validation

Session Fixation Attack Vulnerabilities in Web Applications

Detect This Vulnerability in Your Code