expressjs · Ayoub-Mabrouk · Dec 20, 2025
diff --git a/index.js b/index.js
@@ -546,7 +546,7 @@ function getcookie(req, name, secrets) {
     raw = cookies[name];
 
     if (raw) {
-      if (raw.substr(0, 2) === 's:') {
+      if (raw.slice(0, 2) === 's:') {
         val = unsigncookie(raw.slice(2), secrets);
 
         if (val === false) {
@@ -573,7 +573,7 @@ function getcookie(req, name, secrets) {
     raw = req.cookies[name];
 
     if (raw) {
-      if (raw.substr(0, 2) === 's:') {
+      if (raw.slice(0, 2) === 's:') {
         val = unsigncookie(raw.slice(2), secrets);
 
         if (val) {
@@ -648,7 +648,7 @@ function issecure(req, trustProxy) {
   var header = req.headers['x-forwarded-proto'] || '';
   var index = header.indexOf(',');
   var proto = index !== -1
-    ? header.substr(0, index).toLowerCase().trim()
+    ? header.slice(0, index).toLowerCase().trim()
     : header.toLowerCase().trim()
 
   return proto === 'https';

diff --git a/test/session.js b/test/session.js
@@ -1019,9 +1019,9 @@
         var store = new session.MemoryStore()
         var server = createServer({ resave: false, store: store }, function (req, res) {
           if (req.method === 'PUT') {
-            req.session.token = req.url.substr(1)
+            req.session.token = req.url.slice(1)
           }
           res.end('token=' + (req.session.token || ''))
         })

        request(server)