rspec/rules/S5730/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

In Express.js application the code is sensitive if the https://www.npmjs.com/package/helmet-csp[helmet-csp middleware] is not used or used without the <code>block-all-mixed-content</code> directive:

----
const express = require('express');
const helmetCsp = require('helmet-csp');

let app = express();
let csp = helmetCsp({  // Sensitive
  directives: {
    "block-all-mixed-content": false
  }
})
app.use(csp);
----

== Compliant Solution

In Express.js application a standard way to block mixed-content is to put in place the https://www.npmjs.com/package/helmet-csp[helmet-csp middleware]:

----
const express = require('express');
const helmetCsp = require('helmet-csp');

let app = express();
let csp = helmetCsp({  // Compliant
  directives: {
    "block-all-mixed-content": true
  }
})
app.use(csp);
----

include::../see.adoc[]