Skip to content

Express session secret hardcoded to "keyboard cat" — anyone can forge session cookies #243

Open
Open
Express session secret hardcoded to "keyboard cat" — anyone can forge session cookies#243
Labels
advancedComplex issues requiring experienced contributorsbugSomething isn't workingsecuritySecurity vulnerabilities
@amaydixit11

Description

@amaydixit11
amaydixit11
opened on Apr 5, 2026

Issue Found

After reviewing the entire codebase, I found Express session secret is hardcoded in backend/index.js:40:

app.use(
  session({
    secret: "keyboard cat",
    resave: false,
    saveUninitialized: false,
    ...
  })
);

Why This matters

"keyboard cat" is the default example from express-session docs. Anyone who reads this repo's code can:

  1. Forge session cookies — Craft a valid session for any user including admins
  2. Session hijacking — The same cookie works across all instances
  3. Bypass authentication — Since session data is signed with a known secret, an attacker can create a session for any user

How to fix

  1. Generate a cryptographically random secret: node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
  2. Add it to .env as SESSION_SECRET=<random-value>
  3. Update the code: 
    secret: process.env.SESSION_SECRET,
  4. Regenerate the secret before deploying to production

Metadata

Metadata

Assignees

No one assigned

    Labels

    advancedComplex issues requiring experienced contributorsbugSomething isn't workingsecuritySecurity vulnerabilities

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions