# CSRF Protection in Express.js

- ID: javascript-express-csrf-protection
- Severity: MEDIUM
- Languages: JavaScript, TypeScript
- Frameworks: express

## Description

Detects missing or inadequate Cross-Site Request Forgery (CSRF) protection in Express.js applications.

CSRF attacks perform authorized actions on behalf of authenticated users without their knowledge:
1. Attackers trick users into submitting malicious requests
2. State-changing operations (password changes, transfers) are vulnerable
3. Authentication cookies are automatically included in cross-site requests
4. Without CSRF tokens, applications cannot verify request legitimacy

Important notes:
- The csurf package is deprecated due to security vulnerabilities
- Modern CSRF protection requires proper token validation
- SameSite cookies alone are not sufficient (browser compatibility)
- Double-submit cookies pattern needs secure implementation

Noise filtering:
- This rule reduces severity for token-based auth (JWT/Bearer) where CSRF is less relevant
- Pure API services without cookie auth have lower CSRF risk
- See rules/shared/noise-filters-javascript.yml for context detection patterns

## Detection Message

State-changing endpoint lacks CSRF protection. This endpoint accepts POST/PUT/PATCH/DELETE requests with session-based authentication but has no CSRF token validation. Attackers can trick authenticated users into submitting malicious requests.

## Remediation

Implement CSRF protection using anti-CSRF tokens.
Consider using csrf-csrf, tiny-csrf, or edge-csrf packages.

## Documentation

[object Object]

## Related Rules

- **Docker Build Optimization and Best Practices** [LOW]: 
- **Docker Compose Obsolete Version Field** [LOW]: 
- **Docker File Operations Best Practices** [LOW]: 
- **Invalid Port Number in EXPOSE** [ERROR]: 
- **Multiple ENTRYPOINT Instructions** [MEDIUM]: