Express session secret is hardcoded to "keyboard cat" in backend/index.js:40:
app.use(
session({
secret: "keyboard cat",
resave: false,
saveUninitialized: false,
...
})
);Why this matters
"keyboard cat" is the default example from express-session documentation. Anyone who reads this repo's code can:
- Forge session cookies - craft a valid session for any user including admins
- Session hijacking - since session data is signed with a known secret
- Bypass authentication - craft a payload that sets req.session.passport.user to any user ID
How to fix
- Generate a cryptographically random secret
- Add it to .env as SESSION_SECRET
- Update the code to use process.env.SESSION_SECRET
- Regenerate the secret before deploying to production
Express session secret is hardcoded to "keyboard cat" in backend/index.js:40:
Why this matters
"keyboard cat" is the default example from express-session documentation. Anyone who reads this repo's code can:
How to fix