Skip to content
← Back to Vulnerability Database
HIGHCWE-352Authentication

CSRF — Missing Anti-Forgery Token

Description

Your state-changing endpoints do not require CSRF tokens, allowing attackers to forge requests on behalf of authenticated users.

How Vezraa Detects It

We test your POST/PUT/DELETE endpoints with cross-origin requests and check for CSRF token validation.

Real-World Impact

Attackers can trick logged-in users into performing actions — changing email, transferring funds, deleting data — without consent.

Fix Example

// Add CSRF middleware
const csrf = require('csurf');
app.use(csrf({ cookie: true }));

// Include token in forms
<form>
  <input type="hidden" name="_csrf" value="<%= csrfToken %>">

Affected Stacks

ExpressREST APIsCookies-based auth

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

CSRF — Missing Anti-Forgery Token — Vulnerability Database | Vezraa