Will It Vibe logoWill It Vibe?
AUTHZ-004High severity-15 points

Hardcoded session secret

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

An express-session or cookie-session store is configured with a string-literal secret instead of reading it from the environment, so anyone with the source can forge session cookies.

Why it matters

A hardcoded session secret signs every session cookie, so anyone who can read the source (a teammate, a fork, a leaked repo) can forge a valid session for any user. Literal secrets in code also tend to be short and reused across environments. Rotating it later invalidates every active session, so a leak here is costly to clean up.

How to fix it

Read the session secret from an environment variable and fail fast at startup if it is unset, rather than defaulting to a literal. Generate a long random value (32 bytes or more) per environment and store it in your host secret manager. Keep the name in .env.example with a placeholder, and rotate the exposed value since it remains in git history.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks