'Checkmarx scan - how to fix Missing_HSTS_Header warning?
after running Checkmarx scan on my Node.js application, I got a warning of Medium severity -> Missing_HSTS_Header. On this piece of code that just returns the content of metadata.json file (highlighted as a source of error is "res.json").
const app = express();
app.get('/metadata', (req, res, next) => {
res.json(JSON.parse(fs.readFileSync(path.join(__dirname, 'metadata.json'), 'utf8')));
});
Initially, it looked like an easy fix. For example, in this link, I found 3 possible solutions - https://github.com/cloudfoundry-incubator/service-fabrik-broker/issues/445 .
But the problem is that none of those works. I tried to use helmet, I useds hsts npm package, I did explicitly set hsts code in console with this command.
res.setHeader("Strict-Transport-Security", "max-age=31536000");
Yet, Checkmarx still complains. Did someone else also experience this? If yes, do you have the idea what could be wrong and why all solutions posted online do not work? Thank you
EDIT: Here, I found an explicit way in Checkmarx documentation, but the waring keeps appearing - https://github.com/Checkmarx/JS-SCP/blob/master/src/communication-security/ssl-tls.md
Solution 1:[1]
We had the same issue with checkmarx. Apparently, checkmark has a bug by expecting everything on a single line.
You can resolve this by setting the header and sending the response in one line
res.setHeader("Strict-Transport-Security", "max-age=31536000").json(JSON.parse(fs.readFileSync(path.join(__dirname, 'metadata.json'), 'utf8')));
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | sathya |