rspec/rules/S5736/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

In Express.js application the code is sensitive if the https://www.npmjs.com/package/helmet[helmet] <code>referrerPolicy</code> middleware is not used or used with unsafe values:

----
const express = require('express');
const helmet = require('helmet');

let app = express(); // Sensitive helmet.referrerPolicy not used

app.get('/', function (req, res) {
  res.send('Hello World!<script src="https://example.com/test"></script><script src="http://example.com/test"></script>')
});
----

== Compliant Solution

In Express.js application a standard way to implement referrer-policy is with the https://www.npmjs.com/package/helmet[helmet] middleware:

----
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(helmet.referrerPolicy({policy: 'no-referrer'})); // Compliant

app.get('/', function (req, res) {
  res.send('Hello World!<script src="https://example.com/test"></script><script src="http://example.com/test"></script>')
});
----

include::../see.adoc[]