Problem
Backend uses session-based auth (Passport session strategy) but has no CSRF token mechanism. Only Helmet is configured as security middleware.
Impact
Malicious pages can submit requests on behalf of authenticated users — creating shares, modifying data, changing settings.
Suggested Fix
- Add CSRF token middleware (csurf or double-submit cookie)
- Or use SameSite=Strict cookies + custom headers for mutations
- Add Origin header validation as defense-in-depth
Found during source code review. v1.10.0
Problem
Backend uses session-based auth (Passport session strategy) but has no CSRF token mechanism. Only Helmet is configured as security middleware.
Impact
Malicious pages can submit requests on behalf of authenticated users — creating shares, modifying data, changing settings.
Suggested Fix
Found during source code review. v1.10.0