# Failing Open on Security Check Errors

- ID: javascript-failing-open
- Severity: CRITICAL
- CWE: CWE-636 (CWE-636)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nextjs, koa, hapi, nestjs

## Description

Detects security checks (authentication, authorization, validation) that grant
access when an error occurs instead of denying it. This is a critical security
flaw where the system "fails open" rather than "failing closed/secure".

When authentication or authorization checks encounter errors, the system should
DENY access by default, not grant it.

## Detection Message

Security check at {location} grants access when error occurs

## Remediation

Always fail secure (deny access) when security checks encounter errors.

Correct pattern:
```javascript
// ✅ SAFE - Fails closed/secure
try {
  const user = await verifyToken(token);
  req.user = user;
  next(); // Only continue on success
} catch (error) {
  logger.error('Auth failed:', error);
  return res.status(401).json({ error: 'Unauthorized' });
  // Or: next(error) to trigger error handler
}
```

## Documentation

[object Object]

## Related Rules

- **Failing Open on Error** [HIGH]: