Rule Definition
Ensure the developer will work with a list of trusted source. Thanks to Strict-Transport-Security header you will enforces secure (HTTP over SSL/TLS) connections to the server.
Remediation
Ensure you have enable Strict-Transport-Security header that enforces secure (HTTP over SSL/TLS) connections to the server.
Violation Code Sample
var express = require('express');
var app = express();
app.get('/', function(req, res){
res.send("<html><body>hello world<script type='text/javascript'>alert('got you')</script></body></html>");
});
app.listen(3000);
Fixed Code Sample
// with helmet
var express = require('express');
var app = express();
var helmet = require('helmet');
app.use(helmet.hsts());
app.get('/', function(req, res){
res.send("<html><body><p>hello world</p><script type='text/javascript'>alert('got you')</script></body><html>");
});
app.listen(3000);
Reference
https://expressjs.com/en/advanced/best-practice-security.html
https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
https://www.owasp.org/index.php/Top_10_2017-A5-Security_Misconfiguration
Related Technologies
Technical Criterion
Secure Coding - Input Validation
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.