Cross-site request forgery (CSRF) forces an authenticated user to perform unintended state-changing actions in a web application. This rule detects when CSRF protection is explicitly disabled or missing from an application.

Why is this an issue?

When CSRF protection is disabled or bypassed, an attacker can trick a logged-in user into submitting requests the application treats as authenticated. The rule flags configurations that disable framework CSRF middleware, exempt specific routes or views, or leave unsafe HTTP methods unprotected.

What is the potential impact?

Unauthorized state changes

An attacker can change passwords, transfer funds, modify data, or perform other privileged operations using the victim’s session.

Account compromise

Successful CSRF attacks can lead to full account takeover when combined with sensitive actions such as email or credential changes.

How to fix it

Code examples

Disabling or bypassing CSRF protection allows an authenticated user’s browser to execute state-changing requests the user did not intend.

Noncompliant code example

Express.js CSURF middleware protection is not found on an unsafe HTTP method like POST method:

let csrf = require('csurf');
let express = require('express');

let csrfProtection = csrf({ cookie: true });

let app = express();

// Noncompliant: this route is not protected by CSURF middleware (csrfProtection is not used)
app.post('/money_transfer', parseForm, function (req, res) {
  res.send('Money transferred');
});

Protection provided by Express.js CSURF middleware is globally disabled on unsafe methods:

let csrf = require('csurf');
let express = require('express');

app.use(csrf({ cookie: true, ignoreMethods: ["POST", "GET"] })); // Noncompliant: POST is an unsafe method

Compliant solution

Express.js CSURF middleware protection is used on unsafe methods:

let csrf = require('csurf');
let express = require('express');

let csrfProtection = csrf({ cookie:  true });

let app = express();

app.post('/money_transfer', parseForm, csrfProtection, function (req, res) {
  res.send('Money transferred')
});

Protection provided by Express.js CSURF middleware is enabled on unsafe methods:

let csrf = require('csurf');
let express = require('express');

app.use(csrf({ cookie: true, ignoreMethods: ["GET"] }));

Resources

Documentation

• Express.js CSURF middleware
• OWASP - Cross-Site Request Forgery

Articles & blog posts

• PortSwigger - Web storage: the lesser evil for session tokens

Standards

• OWASP - Top 10 2021 Category A1 - Broken Access Control
• CWE - CWE-352 - Cross-Site Request Forgery (CSRF)
• OWASP - Top 10 2017 Category A6 - Security Misconfiguration
• STIG Viewer - Application Security and Development: V-222603 - The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.