Helmet Security Response Header Disabled
Description
One or more Security Response headers are explicitly disabled in Helmet, which can make the application more vulnerable to attacks.
Examples
Insecure Code
javascript
const helmet = require('helmet'); app.use(helmet({ frameguard: false }));Secure Code
javascript
const helmet = require('helmet'); app.use(helmet({ frameguard: true }));Remediation
Enable the disabled Security Response headers in Helmet by setting their corresponding options to true.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0400 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-358 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | Security Response Header, Helmet |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |