Upcoming improvements to Cross-site Request Forgery findings in Snyk code

We’re excited to announce various improvements that will be made to Cross-site Request Forgery findings in Javascript, to be released on January 15th, 2025! This update will improve overall accuracy for the rule and expand our support for several common mitigation libraries.

Changes include:

• New support for express-csrf-protect library

• Improved support for lusca, csrf-csrf, and csurf libraries

• Improved: findings will now only be raised in cases where basic auth or cookie usage is detected

• New support for detection as part of PUT, DELETE, and PATCH HTTP methods

• New support for cases where an Express middleware (used to protect against Cross-site Request Forgery issues) is setup in a separate file

Customers with Javascript projects which have Cross-site Request Forgery findings should expect to see a decrease in False-Positive findings.

Please don't hesitate to reach out to your account teams with any inquiries!