ast/insecure-session-config
Insecure session configuration: hardcoded secret or cookie security off
What it detects
A session() / cookieSession() / expressSession() factory was called with one of: a string-literal `secret` (hardcoded — any reader of the repo can forge session cookies), `cookie.httpOnly: false` (JavaScript on the page can read the cookie), or `cookie.secure: false` (cookie travels over plain HTTP). Load the secret from process.env, and set httpOnly and secure to true in production.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.