# HTTP Parameter Pollution Prevention in Express.js

- ID: javascript-express-hpp-prevention
- Severity: LOW
- CWE: CWE-235 (CWE-235)
- Languages: JavaScript, TypeScript
- Frameworks: express

## Description

Detects missing HTTP Parameter Pollution (HPP) protection in Express.js applications.

## Detection Message

Request parameters used without HPP protection.
Express converts duplicate query/body params to arrays, which can bypass validation logic.
Consider normalizing values: const name = Array.isArray(req.query.name) ? req.query.name[0] : req.query.name;


## Remediation

Option 1 - Add hpp middleware (recommended):
  npm install hpp
  const hpp = require('hpp');
  app.use(hpp());

Option 2 - Validate parameters manually:
  const value = Array.isArray(req.query.param)
    ? req.query.param[0]  // Take first value
    : req.query.param;

## Documentation

[object Object]

## Related Rules

- **HTTP Parameter Pollution** [MEDIUM]: