Reputation: 940
Can objects attached to requests in expressjs be tampered with?
In express.js we often attach objects to the req object in middleware, e.g. req.myObject. What prevents a user sending an http request that includes req.myObject already set to some value? For example, I could use req.myObject as part of authentication. Could a user set req.myObject = true when sending a request when it should really be false? Potentially an issue if req.myObject is set on some routes but not others but middleware that checks req.myObject is re-used across routes.
Upvotes: 3
Views: 842
Answers (1)
Reputation: 34627
req is an object created by Express when a request is received. It's not something passed directly from client to the server, in fact it isn't even available to client.
A client can only relay information to the server in some limited ways - GET query, POST form data, or route paths which are attached to the req object by Express as req.query, req.body, and req.params respectively.
Anything else attached to the req object is out of scope of the client, at least directly.
Related question: Node.js request object documentation?
Upvotes: 4
Related Questions
- Modifying Express.js Request Object
- Is modifying the request object in express.js bad practice?
- Can Hacker modify the request that is sent to the web server? I am authenticating the user based on a object in the request
- Safely pass object to client in Node.js/express
- Can the req object be manipulated within a request
- Request POST modifies object?
- JSON Vulnerability Protection using express JS
- Can user add/change properties of the "request" object (and cause a security vulnerability)?
- Node.js Express app - request object