Missing Helmet configuration on HTTP headers

• Rule ID: javascript_express_helmet_missing
• Languages: javascript
• Source: helmet_missing.yml

Description

Helmet can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately. Failing to configure Helmet for HTTP headers leaves your application vulnerable to several web attacks.

Remediations

• Do use Helmet middleware to secure your app by adding it to your application's middleware.

  const helmet = require("helmet");
  app.use(helmet());

References

• Express Security Best Practices: Use Helmet

Associated CWE

• CWE-693: Protection Mechanism Failure

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_helmet_missing

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_helmet_missing