Critiq Docs
Get started
security.authentication

Avoid predictable token generation

Tokens, reset links, and session secrets should be generated from cryptographically strong randomness.

#Metadata

Rule ID
ts.security.predictable-token-generation
Severity
high
Confidence
0.9
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
authentication, crypto, rules-catalog, security

#Why it matters

Predictable token material makes it easier to guess reset links, invite codes, and session secrets.

#Remediation

Generate the value with `crypto.randomBytes`, `crypto.randomUUID`, or an approved secure token source.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.predictable-token-generation.rule.yaml.

Back to registryOpen rule in repository