Insecure Random

Math.random() used for tokens, secrets, or session IDs

criticalSecurityinsecure-random

Why this matters

Math.random() is not cryptographically secure. Its output is predictable — attackers can guess session tokens, reset codes, and invite links generated this way.

✗ Bad

function generateToken() {
  return Math.random().toString(36).slice(2);
}

✓ Good

import { randomBytes } from "crypto";

function generateToken() {
  return randomBytes(32).toString("hex");
}

How to fix

Use crypto.randomBytes() (Node.js) or crypto.getRandomValues() (browser) for any security-sensitive random values.

All rules