40 lines
1.4 KiB
Plaintext
40 lines
1.4 KiB
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
In Express.js application the code is sensitive if the https://www.npmjs.com/package/dont-sniff-mimetype[dont-sniff-mimetype] middleware is not used:
|
||
|
|
----
|
||
|
|
const express = require('express');
|
||
|
|
|
||
|
|
let app = express(); // Sensitive
|
||
|
|
|
||
|
|
app.get('/images/picture.png', function (req, res) {
|
||
|
|
res.type('image');
|
||
|
|
res.sendFile( __dirname + '/images/picture.png');
|
||
|
|
});
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
In Express.js application a standard way to instruct browsers to not perform MIME types sniffing is with the https://www.npmjs.com/package/dont-sniff-mimetype[dont-sniff-mimetype] middleware. Note that when using https://expressjs.com/en/4x/api.html#express.static[express.static] X-Content-Type-Options header is automatically set to <code>nosniff</code>:
|
||
|
|
----
|
||
|
|
const express = require('express');
|
||
|
|
const dontSniffMimetype = require('dont-sniff-mimetype');
|
||
|
|
|
||
|
|
let app1 = express();
|
||
|
|
app1.use(dontSniffMimetype()); // Compliant
|
||
|
|
app1.get('/images/picture.png', function (req, res) {
|
||
|
|
res.type('image');
|
||
|
|
res.sendFile( __dirname + '/images/picture.png');
|
||
|
|
});
|
||
|
|
|
||
|
|
let app2 = express();
|
||
|
|
app2.use(express.static('images_repository')); // Compliant, static resources inside images_repository folder are served with X-Content-Type-Options HTTP header set to nosniff
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|