F-2026-0011·missing-cookie-attribute

Session Cookie Missing SameSite Attribute

Fixedpentestbackendapigithub.com/bloom-art/api
TL;DR

Session cookie configuration omitted the `sameSite` attribute, leaving CSRF resistance dependent on browser defaults. Fixed by deleting the entire session stack.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

The session cookie configuration does not set sameSite.

typescript
// bootstrap.utils.ts L56-L72
app.use(
  session({
    cookie: {
      domain,
      httpOnly: true,
      maxAge: thirtyMinutes,
      path: "/",
      secure: environmentService.isInDevOrProdEnvironment(),
      // NOTE: no sameSite attribute configured anywhere in this object
    },
    proxy: true,
    resave: false,
    rolling: true,
    saveUninitialized: true,
    secret: cookieSignatureSecret,
    store: new RedisStore({ client: redisClient }),
  }),
);

The cookie object at L58-L64 sets httpOnly, secure, domain, maxAge, and path, but omits sameSite entirely.

03Section · Impact

Impact

Potential CSRF attacks depending on browser defaults.

04Section · Recommendation

Recommendation

Add sameSite: 'strict' (or 'lax') to the cookie configuration.

05Section · Resolution

Resolution

Fixed alongside F-2026-0006 in PR #3706, the entire session stack was deleted, so no cookie is ever issued and the missing sameSite attribute is vacuous.

Status
Fixed
ZEALYNX SECURITY · published 2026-04-29
F-2026-0011

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx