45 lines
1022 B
Plaintext
45 lines
1022 B
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
https://www.npmjs.com/package/express[Express.js] name is disclosed by default into the ``++x-powered-by++`` HTTP header:
|
|
|
|
----
|
|
let express = require('express');
|
|
let app = express(); // Sensitive
|
|
|
|
app.get('/', function (req, res) {
|
|
res.send('hello')
|
|
});
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
``++x-powered-by++`` HTTP header should be disabled in https://www.npmjs.com/package/express[Express.js] with ``++app.disable++`` or with helmet https://www.npmjs.com/package/helmet[hidePoweredBy] middleware:
|
|
|
|
----
|
|
let express = require('express');
|
|
|
|
let app1 = express(); // Compliant
|
|
app1.disable("x-powered-by");
|
|
|
|
let helmet = require("helmet");
|
|
let app2 = express(); // Compliant
|
|
app2.use(helmet.hidePoweredBy());
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|