typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled
semgrep
Author
161
Download Count*
License
X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
Run Locally
Run in CI
Defintion
rules:
- id: nestjs-header-xss-disabled
message: X-XSS-Protection header is set to 0. This will disable the browser's
XSS Filter.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
category: security
technology:
- nestjs
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- typescript
severity: WARNING
pattern: >
class $CN {
...
@Header("=~/[Xx]-[Xx][Ss][Ss]-[Pp][Rr][Oo][Tt][Ee][Cc][Tt][Ii][Oo][Nn]/", '0')
$FN(...) {
...
}
...
}
Examples
nestjs-header-xss-disabled.ts
import { Controller, Get, Header, Redirect, Query } from '@nestjs/common';
import { AppService } from './app.service';
// ruleid:nestjs-header-xss-disabled
@Controller()
export class AppController1 {
constructor(private readonly appService: AppService) {}
@Get('test1')
@Header('X-XSS-Protection', '0')
getHello1(): string {
return this.appService.getHello();
}
}
@Controller()
export class AppController2 {
constructor(private readonly appService: AppService) {}
@Get('test1')
@Header('X-XSS-Protection', '1')
getHello2(): string {
return this.appService.getHello();
}
}
Short Link: https://sg.run/YgGW