Remix
Security scanning for Remix apps
Remix’s strict adherence to web fundamentals (form posts, cookies, progressive enhancement) makes it more secure-by-default than many SPAs. The gaps tend to be CSP, rate limiting on resource routes, and CORS on API-style endpoints.
Most common issues
- 01Missing CSP/HSTS/X-Frame-Options on the deployed site
- 02Resource routes acting as APIs without CORS allowlist or auth checks
- 03Session cookies missing SameSite or HttpOnly when configured manually
What SafeToShip checks for Remix
- headers
- js-secrets
- cookies
- cors
- ssl
- rate-limit
- exposed-files
FAQ
Frequently asked questions
- Does Remix protect me from CSRF?
- Form-based mutations + same-origin cookies + SameSite=Lax cover the most common CSRF cases. For state-changing endpoints called via fetch from another origin, add explicit origin checks or CSRF tokens.
- How do I add CSP in Remix?
- Set headers via the headers export on root.tsx, or via your host (Netlify _headers, Vercel headers). For per-request nonces, set them in entry.server.tsx and pipe via Context.
Fix guides
Common Remix fixes
Missing CSP header
A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.
Read moreCORS allows all origins
An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.
Read moreCookie missing Secure flag
Cookies without the Secure flag can be sent over HTTP, leaking session tokens to anyone on the same network. Here is how to set it.
Read moreCookie missing SameSite
SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.
Read moreHardcoded API key in JS
Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.
Read moreRun a Remix security scan
Free. 70+ checks. 60 seconds.