Hardcoded session secret
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
An express-session or cookie-session store is configured with a string-literal secret instead of reading it from the environment, so anyone with the source can forge session cookies.
Why it matters
A hardcoded session secret signs every session cookie, so anyone who can read the source (a teammate, a fork, a leaked repo) can forge a valid session for any user. Literal secrets in code also tend to be short and reused across environments. Rotating it later invalidates every active session, so a leak here is costly to clean up.
How to fix it
Read the session secret from an environment variable and fail fast at startup if it is unset, rather than defaulting to a literal. Generate a long random value (32 bytes or more) per environment and store it in your host secret manager. Keep the name in .env.example with a placeholder, and rotate the exposed value since it remains in git history.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo