ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5689/javascript/rule.adoc
Arseniy Zaostrovnykh d96d948333 change the inline-code delimitters
2020-12-23 14:59:06 +01:00

36 lines
846 B
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
https://www.npmjs.com/package/express[Express.js] name is disclosed by default into the ``x-powered-by`` HTTP header:
----
let express = require('express');
let app = express(); // Sensitive
app.get('/', function (req, res) {
res.send('hello')
});
----
== Compliant Solution
``x-powered-by`` HTTP header should be disabled in https://www.npmjs.com/package/express[Express.js] with ``app.disable`` or with helmet https://www.npmjs.com/package/helmet[hidePoweredBy] middleware:
----
let express = require('express');
let app1 = express(); // Compliant
app1.disable("x-powered-by");
let helmet = require("helmet");
let app2 = express(); // Compliant
app2.use(helmet.hidePoweredBy());
----
include::../see.adoc[]
Reference in New Issue View Git Blame Copy Permalink