Express Session Secure Cookies

This codemod transforms Express.js session configurations to include essential security flags, protecting against session hijacking and XSS attacks.

Security Issues Addressed

This codemod helps prevent the following security vulnerabilities:

The codemod automatically:

Adds missing security flags to Express session cookies
Updates insecure configurations (e.g., secure: false → secure: true)
Preserves existing cookie properties while adding security flags
Works with various syntax patterns (direct calls, variable assignments, etc.)

javascript

javascript

Existing cookie object with other properties:

javascript

Fixing insecure configurations:

javascript

bash

The codemod identifies Express session configurations by looking for objects containing typical session properties like:

It then ensures these configurations have secure cookie settings.

bash

After running this codemod, ensure your application:

Uses HTTPS in production - The secure: true flag requires HTTPS
Considers sameSite policy - 'strict' provides maximum protection but may affect some use cases
Reviews cookie domain settings - Ensure they're appropriate for your deployment
Tests authentication flows - Verify the changes don't break your application

MIT