Critiq Docs
Get started
security.misconfiguration

Serve static assets before session middleware

Static assets should be mounted before session middleware when they do not need session state.

#Metadata

Rule ID
ts.security.express-static-assets-after-session
Severity
medium
Confidence
0.85
Languages
javascript, typescript
Presets
security, strict
Stability
stable
Applies to
file
Tags
express, middleware-order, rules-catalog, security

#Why it matters

Serving public assets after session middleware broadens the session surface and adds unnecessary auth-state handling to static traffic.

#Remediation

Mount `express.static()` before session middleware unless the static path genuinely requires session state.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.express-static-assets-after-session.rule.yaml.

Back to registryOpen rule in repository