ajinabraham.njsscan.header_xss_protection.header_xss_lusca

profile photo of ajinabrahamajinabraham
Author
1,129
Download Count*
GPLv3
License

X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: header_xss_lusca
    patterns:
      - pattern-inside: |
          $X = require('lusca')
          ...
      - pattern-not: |
          $X.use(helmet())
      - pattern-either:
          - pattern: |
              $X.xssProtection(false)
          - pattern: |
              $X({ xssProtection: false})
    message: X-XSS-Protection header is set to 0. This will disable the browser's
      XSS Filter.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a6
      cwe: cwe-693
      license: LGPL-3.0-or-later