CODEWITHSUNDEEP
javascriptnode.jshstssecure-codingcheckmarx
Jozef
Jozef

Reputation: 493

Checkmarx scan - how to fix Missing_HSTS_Header warning?

after running Checkmarx scan on my Node.js application, I got a warning of Medium severity -> Missing_HSTS_Header. On this piece of code that just returns the content of metadata.json file (highlighted as a source of error is "res.json").

const app = express();
app.get('/metadata', (req, res, next) => {
    res.json(JSON.parse(fs.readFileSync(path.join(__dirname, 'metadata.json'), 'utf8')));
});

Initially, it looked like an easy fix. For example, in this link, I found 3 possible solutions - https://github.com/cloudfoundry-incubator/service-fabrik-broker/issues/445 .

But the problem is that none of those works. I tried to use helmet, I useds hsts npm package, I did explicitly set hsts code in console with this command.

res.setHeader("Strict-Transport-Security", "max-age=31536000");

Yet, Checkmarx still complains. Did someone else also experience this? If yes, do you have the idea what could be wrong and why all solutions posted online do not work? Thank you

EDIT: Here, I found an explicit way in Checkmarx documentation, but the waring keeps appearing - https://github.com/Checkmarx/JS-SCP/blob/master/src/communication-security/ssl-tls.md

Upvotes: 5

Views: 21723

Answers (2)

parag_88
parag_88

Reputation: 56

We had same issue with checkmarx. You can resolve this by setting the header :

res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");

Upvotes: 3

sathya
sathya

Reputation: 332

We had the same issue with checkmarx. Apparently, checkmark has a bug by expecting everything on a single line.

You can resolve this by setting the header and sending the response in one line

res.setHeader("Strict-Transport-Security", "max-age=31536000").json(JSON.parse(fs.readFileSync(path.join(__dirname, 'metadata.json'), 'utf8')));

Upvotes: 5

Related Questions