ajinabraham.njsscan.headers.header_helmet_disabled.helmet_feature_disabled
ajinabrahamAuthor
unknown
Download Count*
License
One or more Security Response header is explicitly disabled in Helmet.
Run Locally
Run in CI
Defintion
rules:
- id: helmet_feature_disabled
patterns:
- pattern-either:
- pattern: |
$HELMET(..., {frameguard: false}, ...)
- pattern: |
$HELMET(..., {contentSecurityPolicy: false}, ...)
- pattern: |
$HELMET(..., {permittedCrossDomainPolicies: false}, ...)
- pattern: |
$HELMET(..., {dnsPrefetchControl: false}, ...)
- pattern: |
$HELMET(..., {expectCt: false}, ...)
- pattern: |
$HELMET(..., {featurePolicy: false}, ...)
- pattern: |
$HELMET(..., {hsts: false}, ...)
- pattern: |
$HELMET(..., {ieNoOpen: false}, ...)
- pattern: |
$HELMET(..., {noSniff: false}, ...)
- pattern: |
$HELMET(..., {hidePoweredBy: false}, ...)
- pattern: |
$HELMET(..., {referrerPolicy: false}, ...)
- pattern: |
$HELMET(..., {xssFilter: false}, ...)
message: One or more Security Response header is explicitly disabled in Helmet.
languages:
- javascript
severity: WARNING
metadata:
owasp-web: a6
cwe: cwe-693
license: LGPL-3.0-or-later
vulnerability_class:
- Other
Short Link: https://sg.run/xpNg