Critiq Docs
Get started
security.cryptography

Use constant-time secret comparison

Secrets and tokens should not be compared with ordinary equality operators.

#Metadata

Rule ID
ts.security.observable-timing-discrepancy
Severity
high
Confidence
0.9
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
cryptography, rules-catalog, security, timing

#Why it matters

Ordinary string comparison can leak timing differences that help attackers guess secret material.

#Remediation

Use a constant-time comparison helper such as `crypto.timingSafeEqual` for secrets, tokens, and password hashes.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.observable-timing-discrepancy.rule.yaml.

Back to registryOpen rule in repository