React Router

Security scanning for React Router 7 apps

React Router 7 (the merge of Remix into RR) puts loaders and actions back on your server, which means the security model is now full-stack: same considerations as Remix on cookies, CORS, and CSP.

Most common issues

  1. 01Loaders that return sensitive data without auth checks
  2. 02Missing CSP/HSTS at the host layer
  3. 03Resource routes returning JSON without CORS allowlist

What SafeToShip checks for React Router

  • headers
  • js-secrets
  • cors
  • cookies
  • ssl
  • exposed-files

FAQ

Frequently asked questions

Are loader functions a security risk?
Loaders can return any data — including data the requesting user should not see. Always check authentication AND authorization in loaders. Same for actions.
Where does CSP go in React Router 7?
Set headers via the headers export on root.tsx or at your host (Netlify _headers, Vercel headers). For per-request nonces, generate in entry.server.tsx and pipe through context.

Fix guides

Common React Router fixes

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

CORS allows all origins

An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.

Read more

Cookie missing Secure flag

Cookies without the Secure flag can be sent over HTTP, leaking session tokens to anyone on the same network. Here is how to set it.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Run a React Router security scan

Free. 70+ checks. 60 seconds.