a0a00c4cba
For review, have a look to our docs: https://docs.sonarsource.com/sonarqube/9.8/extension-guide/adding-coding-rules/#coding-rule-guidelines This should not be merged by an AppSec member, because it contains message information. It should be merged by someone from SonarJS. --------- Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
57 lines
1.1 KiB
Plaintext
57 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
In https://www.npmjs.com/package/express[Express.js], version information is
|
|
disclosed by default in the ``++x-powered-by++`` HTTP header:
|
|
|
|
[source, javascript]
|
|
----
|
|
let express = require('express');
|
|
|
|
let example = express(); // Sensitive
|
|
|
|
example.get('/', function (req, res) {
|
|
res.send('example')
|
|
});
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
``++x-powered-by++`` HTTP header should be disabled in
|
|
https://www.npmjs.com/package/express[Express.js] with ``++app.disable++``:
|
|
|
|
[source,javascript]
|
|
----
|
|
let express = require('express');
|
|
|
|
let example = express();
|
|
example.disable("x-powered-by");
|
|
----
|
|
|
|
Or with helmet's https://www.npmjs.com/package/helmet[hidePoweredBy] middleware:
|
|
|
|
[source, javascript]
|
|
----
|
|
let helmet = require("helmet");
|
|
|
|
let example = express();
|
|
example.use(helmet.hidePoweredBy());
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|