Missing Helmet configuration on HTTP headers

Overview

Rule ID: javascript_express_helmet_missing
Applicable Languages: Javascript
Weakness ID: CWE-693

Description

Helmet can help protect your app from well-known web vulnerabilities by setting HTTP headers appropriately. Failing to configure Helmet for HTTP headers leaves your application exposed to various web attacks.

Remediation Guidelines

Do use Helmet middleware to secure your app by adding it to your application's middleware.
```
const helmet = require("helmet");
app.use(helmet());
```

References

Express Security Best Practices: Use Helmet
CWE-693: Protection Mechanism Failure

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousMissing escape of HTML entities in Handlebars template compilation NextLeakage of Sensitive Information in Exception Messages

Last updated 3 months ago