no-missing-csrf-protection
Detects missing CSRF token validation in POST/PUT/DELETE requests. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plu
Keywords: CSRF, CWE-352, security, ESLint rule, CSRF protection, token validation, middleware, Express, Fastify, LLM-optimized, code security
Detects missing CSRF token validation in POST/PUT/DELETE requests. This rule is part of eslint-plugin-secure-coding and provides LLM-optimized error messages that AI assistants can automatically fix.
💼 This rule is set to error by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-352 (Cross-Site Request Forgery) |
| Severity | HIGH (security vulnerability) |
| Auto-Fix | ❌ No (requires manual CSRF middleware setup) |
| Category | Security |
| ESLint MCP | ✅ Optimized for ESLint MCP integration |
| Best For | All web applications with state-changing operations, Express, Fastify |
Vulnerability and Risk
Vulnerability: Cross-Site Request Forgery (CSRF) occurs when an application processes state-changing requests (like creating users or transferring funds) without verifying that the request originated from a trusted source (usually via a CSRF token).
Risk: An attacker can trick an authenticated user into visiting a malicious site, which then sends a request to the vulnerable application. The browser automatically includes the user's cookies, causing the application to execute the unauthorized action as the victim.
Detection Flow
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 🔒 CSRF Attacks | Unauthorized state changes | Add CSRF middleware |
| 🔐 Data Integrity | Malicious requests from other sites | Validate CSRF tokens |
| 🍪 Session Hijack | Exploit user sessions | Use CSRF protection |
| 📊 Best Practice | All state-changing ops need CSRF | Protect POST/PUT/DELETE |
Detection Patterns
The rule detects:
- Express routes:
app.post(),app.put(),app.delete(),app.patch() - Route handlers without CSRF middleware in arguments
- Common CSRF middleware patterns:
csrf,csurf,csrfProtection,validateCsrf,csrfToken,csrfMiddleware - Global CSRF middleware: Applied via
app.use(csrf())
Examples
❌ Incorrect
// Missing CSRF protection on state-changing routes
app.post('/api/users', (req, res) => {
// ❌ No CSRF middleware
// Create user
});
router.put('/api/users/:id', (req, res) => {
// ❌ No CSRF middleware
// Update user
});
app.delete('/api/users/:id', handler); // ❌ No CSRF middleware✅ Correct
// CSRF middleware added
app.post('/api/users', csrf(), (req, res) => {
// ✅ CSRF middleware
// Create user
});
router.put('/api/users/:id', csrfProtection, (req, res) => {
// ✅ CSRF middleware
// Update user
});
// Global CSRF middleware
app.use(csrf({ cookie: true })); // ✅ Global protection
app.post('/api/users', (req, res) => {
// ✅ Protected by global middleware
// Create user
});
// GET requests don't need CSRF
app.get('/api/users', (req, res) => {
// ✅ GET doesn't need CSRF
// Return users
});Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-352 OWASP:A01 CVSS:8.8 | Cross-Site Request Forgery (CSRF) detected | HIGH
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A01_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-352 OWASP:A01 CVSS:8.8 |
| Issue Description | Specific vulnerability | Cross-Site Request Forgery (CSRF) detected |
| Severity & Compliance | Impact assessment | HIGH |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Configuration
Default Configuration
{
"secure-coding/no-missing-csrf-protection": "error"
}Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | false | Allow missing CSRF in tests |
csrfMiddlewarePatterns | string[] | ['csrf', 'csurf', ...] | CSRF middleware patterns |
protectedMethods | string[] | ['post', 'put', 'delete', 'patch'] | HTTP methods requiring CSRF |
ignorePatterns | string[] | [] | Additional patterns to ignore |
Example Configuration
{
"secure-coding/no-missing-csrf-protection": [
"error",
{
"allowInTests": true,
"csrfMiddlewarePatterns": ["csrf", "myCustomCsrf"],
"protectedMethods": ["post", "put", "delete"],
"ignorePatterns": ["/api/public"]
}
]
}Best Practices
- Protect all state-changing routes: POST, PUT, DELETE, PATCH
- Use middleware: Leverage Express/Fastify CSRF middleware
- Global protection: Apply CSRF middleware globally when possible
- Token validation: Validate CSRF tokens on every protected request
- GET requests: Don't require CSRF (idempotent operations)
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// ❌ NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Related Rules
no-insecure-cookie-settings- Detects insecure cookie configurationsno-missing-authentication- Detects missing authentication
Resources
no-missing-cors-check
Detects missing CORS validation (wildcard CORS, missing origin check) that can allow unauthorized cross-origin requests. This rule is part of [`eslint-plugin-se
no-missing-security-headers
ESLint Rule: no-missing-security-headers. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding).