Use of Hard-coded Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-798: Use of Hard-coded Credentials |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | High |
Description#
The session secret for express-session is hard-coded directly in the source code. Storing secrets this way exposes them to anyone with code access and risks accidental leaks via version control.
Impact#
If an attacker discovers the hard-coded session secret, they could forge valid session cookies, impersonate users, and potentially gain unauthorized access to sensitive areas of the application. This compromises user accounts and overall application security.