DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Avoid insecure HTTP header configuration for nosniffing header JS-S1001

Security
Critical
 Autofix

It is recommended to Implement the X-Content-Type-Options header with nosniff value (the only existing value for this header), which is supported by all modern browsers and will prevent browsers from performing MIME type sniffing so that in case of Content-Type header mismatch, the resource is not interpreted.

MIME sniffing attack is a common type of exploit that can trick a web browser into interpreting a resource as a different type than the one expected. To correctly interpret a resource (script, image, stylesheet), web browsers look for the Content-Type header defined in the HTTP response received from the server. Still, often this header is not set or is set with an incorrect value due to invalid configuration. Security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. Automated scanners help detect misconfigurations, default accounts or configurations, unnecessary services, legacy options, etc. Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files, and directories, etc., to gain unauthorized access or knowledge of the system. As a consequence of this attack, attackers can get unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise. The business impact depends on the protection needs of the application and data. This can be prevented with a proper configuration of security headers. In nodejs, it is mostly done using a popular library named helmet. One of the security measures recommended by OWASP is to have an automated process of verifying the configuration. This issue helps prevent this exploit by checking the configuration of helmet.

Bad Practice

const express = require('express')
const helmet = require('helmet')
let app = express()
app.use(
  helmet({
    noSniff: true // Sensitive
  })
)

Recommended

const express = require('express')
const helmet = require('helmet')
let app = express()
app.use(
  helmet({
    noSniff: true // Compliant
  })
)