contrib.nodejsscan.header_helmet_disabled.helmet_feature_disabled

profile photo of returntocorpreturntocorp
Author
99
Download Count*
GPLv3
License

One or more Security Response header is explicitly disabled in Helmet.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: helmet_feature_disabled
    patterns:
      - pattern-either:
          - pattern: |
              $HELMET(..., {frameguard: false}, ...)
          - pattern: |
              $HELMET(..., {contentSecurityPolicy: false}, ...)
          - pattern: |
              $HELMET(..., {permittedCrossDomainPolicies: false}, ...)
          - pattern: |
              $HELMET(..., {dnsPrefetchControl: false}, ...)
          - pattern: |
              $HELMET(..., {expectCt: false}, ...)
          - pattern: |
              $HELMET(..., {featurePolicy: false}, ...)
          - pattern: |
              $HELMET(..., {hsts: false}, ...)
          - pattern: |
              $HELMET(..., {ieNoOpen: false}, ...)
          - pattern: |
              $HELMET(..., {noSniff: false}, ...)
          - pattern: |
              $HELMET(..., {hidePoweredBy: false}, ...)
          - pattern: |
              $HELMET(..., {referrerPolicy: false}, ...)
          - pattern: |
              $HELMET(..., {xssFilter: false}, ...)
    message: One or more Security Response header is explicitly disabled in Helmet.
    languages:
      - javascript
    severity: WARNING
    metadata:
      owasp: A06:2017 - Security Misconfiguration
      cwe: "CWE-693: Protection Mechanism Failure"
      category: security
      technology:
        - node.js
        - express
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

header_helmet_disabled.js

// ruleid:helmet_feature_disabled
app.use(helmet({
    frameguard: false,
}))


// ruleid:helmet_feature_disabled
app.use(helmet({
    "xssFilter": false
}))