HIGHCWE-352Authentication
CSRF — Missing Anti-Forgery Token
Description
Your state-changing endpoints do not require CSRF tokens, allowing attackers to forge requests on behalf of authenticated users.
How Vezraa Detects It
We test your POST/PUT/DELETE endpoints with cross-origin requests and check for CSRF token validation.
Real-World Impact
Attackers can trick logged-in users into performing actions — changing email, transferring funds, deleting data — without consent.
Fix Example
// Add CSRF middleware
const csrf = require('csurf');
app.use(csrf({ cookie: true }));
// Include token in forms
<form>
<input type="hidden" name="_csrf" value="<%= csrfToken %>">Affected Stacks
ExpressREST APIsCookies-based auth