42 lines
1006 B
Plaintext
42 lines
1006 B
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
In Express.js application the code is sensitive if the https://www.npmjs.com/package/dns-prefetch-control[dns-prefetch-control] middleware is disabled or used without the recommended value:
|
|
|
|
----
|
|
const express = require('express');
|
|
const helmet = require('helmet');
|
|
|
|
let app = express();
|
|
|
|
app.use(
|
|
helmet.dnsPrefetchControl({
|
|
allow: true // Sensitive: allowing DNS prefetching is security-sensitive
|
|
})
|
|
);
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
In Express.js application the https://www.npmjs.com/package/dns-prefetch-control[dns-prefetch-control] or https://www.npmjs.com/package/helmet[helmet] middleware is the standard way to implement ``++X-DNS-Prefetch-Control++`` header:
|
|
|
|
----
|
|
const express = require('express');
|
|
const helmet = require('helmet');
|
|
|
|
let app = express();
|
|
|
|
app.use(
|
|
helmet.dnsPrefetchControl({
|
|
allow: false // Compliant
|
|
})
|
|
);
|
|
----
|
|
|
|
include::../see.adoc[]
|