Conversation
⛔ Snyk checks have failed. 5 issues have been found so far.
✅ security/snyk check is complete. No issues have been found. (View Details) ✅ license/snyk check is complete. No issues have been found. (View Details) ⛔ code/snyk check is complete. 5 issues have been found. (View Details) 💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
| app.set('view engine', 'ejs'); | ||
| app.use(logger('dev')); | ||
| app.use(methodOverride()); | ||
| app.use(session({ |
There was a problem hiding this comment.
Hardcoded Secret
Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in express-session.
Line 42 | CWE-547 | Priority score 834
⚡ Fix this issue by replying with the following command: @snyk /fix
| app.use(errorHandler()); | ||
| } | ||
|
|
||
| var token = 'SECRET_TOKEN_f8ed84e8f41e4146403dd4a6bbcea5e418d23a9'; |
There was a problem hiding this comment.
Hardcoded Secret
Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in here.
Line 83 | CWE-547 | Priority score 834
⚡ Fix this issue by replying with the following command: @snyk /fix
| var token = 'SECRET_TOKEN_f8ed84e8f41e4146403dd4a6bbcea5e418d23a9'; | ||
| console.log('token: ' + token); | ||
|
|
||
| http.createServer(app).listen(app.get('port'), function () { |
There was a problem hiding this comment.
Cleartext Transmission of Sensitive Information
http.createServer uses HTTP which is an insecure protocol and should not be used in code due to cleartext transmission of information. Data in cleartext in a communication channel can be sniffed by unauthorized actors. Consider using the https module instead.
Line 86 | CWE-319 | Priority score 567
⚡ Fix this issue by replying with the following command: @snyk /fix
| var cons = require('consolidate'); | ||
| const hbs = require('hbs') | ||
|
|
||
| var app = express(); |
There was a problem hiding this comment.
Cross-Site Request Forgery (CSRF)
CSRF protection is disabled for your Express app. This allows the attackers to execute requests on a user's behalf.
Line 28 | CWE-352 | Priority score 367 | Learn more about this vulnerability
⚡ Fix this issue by replying with the following command: @snyk /fix
| app.use(session({ | ||
| secret: 'keyboard cat', | ||
| name: 'connect.sid', | ||
| cookie: { path: '/' } |
There was a problem hiding this comment.
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Cookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
Line 45 | CWE-614 | Priority score 417
⚡ Fix this issue by replying with the following command: @snyk /fix
2 participants
Added app implementation... hope it's secure 🤞