Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity
    • Default Quality Profiles:
      Sonar way, Sonar way recommended

      Description

      Sensitive Code Example

      In Express.js application the code is sensitive if the expect-ct middleware is disabled:

      const express = require('express');
      const helmet = require('helmet');
      
      let app = express();
      
      app.use(
          helmet({
            expectCt: false // Sensitive
          })
      );
      

      Compliant Solution

      In Express.js application the expect-ct middleware is the standard way to implement expect-ct. Usually, the deployment of this policy starts with the report only mode (enforce: false) and with a low maxAge (the number of seconds the policy will apply) value and next if everything works well it is recommended to block future connections that violate Expect-CT policy (enforce: true) and greater value for maxAge directive:

      const express = require('express');
      const helmet = require('helmet');
      
      let app = express(); 
      
      app.use(helmet.expectCt({
        enforce: true,
        maxAge: 86400
      })); // Compliant
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            eric.therond Eric Therond
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: