Akshay phalphale
Reputation: 225
Checkmarx: Missing HSTS Header in React Application
I have performed Checkmarx scan on React application. It is showing following scan result:
Missing HSTS Header :
The web-application does not define an HSTS header, leaving it vulnerable to attack.
Error is showing for following highlighted code:
const client = async (endpoint, customConfig, isStaticContent) => {
return fetch(fullUrl, config).then((response) => {
if (typeof response?.setHeader === 'function') {
response?.setHeader(
'Strict-Transport-Security',
'max-age=63072000', //error showing for this line
'includeSubDomains'
)
}
})
}
I have checked in response header on chrome dev tools.
Application has following header:
strict-transport-security: max-age=31536000 ; includeSubDomains
How to resolve this checkmarx issue ?
Upvotes: 3
Views: 6150
Answers (1)
jkhines
Reputation: 1129
According to this answer, all of your HSTS values must be on the same line for Checkmarx to pass. For example:
response?.setHeader(
'Strict-Transport-Security',
'max-age=63072000; includeSubDomains'
)Upvotes: 3
Related Questions
- Checkmarx scan - how to fix Missing_HSTS_Header warning?
- HSTS preventing access to a subdomain mapped to localhost using hosts and using self-signed certificate
- cannot verify JWT- ERR_HTTP_HEADERS_SENT: Cannot set headers after they are sent to the client
- HSTS (HTTP Strict Transport Security) on Node-red
- React bad Header Request
- hsts deprecated The "includeSubdomain" paramter is deprecated
- How do I add HSTS headers to my nginx / react app on app engine flex?
- React checksum invalid server rendering
- HMR with server-rendering causes invalid checksum
- Modify response header with sails.js for implementing HSTS