Need

Enforce secure communication by setting the Strict-Transport-Security HTTP header with an appropriate max-age value.

Context

• Usage of TypeScript for statically typed JavaScript development
• Usage of Express for building web applications and handling HTTP requests

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/', (req, res) => {
  res.send('Hello World!');
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is that it does not set the Strict-Transport-Security (HSTS) header in the server's response. The HSTS header is a security feature that instructs the browser to only communicate with the server over HTTPS for a specified period of time.

Without the HSTS header, the server is vulnerable to downgrade attacks, where an attacker can force the connection to use HTTP instead of HTTPS. This can lead to the compromise of confidential information sent through insecure channels.

To fix this vulnerability, the code should include the necessary logic to set the HSTS header with an appropriate max-age value.

Steps

• Install the 'helmet' package: npm install helmet
• Import the 'helmet' package: import helmet from 'helmet'
• Add the 'helmet' middleware to the Express app: app.use(helmet())
• Enable the 'strictTransportSecurity' middleware in the 'helmet' package with the desired max-age value: `app.use(helmet.strictTransportSecurity({ maxAge: 31536000 }))`
• Restart the server and verify that the Strict-Transport-Security header is now being set

Compliant code

        import express from 'express';
import helmet from 'helmet';

const app = express();

app.use(helmet());
app.use(helmet.strictTransportSecurity({ maxAge: 31536000 }));

app.get('/', (req, res) => {
  res.send('Hello World!');
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code addresses the vulnerability by implementing the necessary measures to set the Strict-Transport-Security header and a max-age value in all server responses.

First, the code imports the necessary modules, express and helmet, which is a middleware for securing Express applications.

Next, an instance of the Express application is created and assigned to the app variable.

The helmet() middleware is then applied to the application using app.use(helmet()). This middleware helps secure the application by setting various HTTP headers, including the Strict-Transport-Security header.

To specifically set the Strict-Transport-Security header and its max-age value, the helmet.strictTransportSecurity() middleware is used. It is applied to the application using app.use(helmet.strictTransportSecurity({ maxAge: 31536000 })). The maxAge option is set to 31536000 seconds, which corresponds to a year.

After setting up the necessary security measures, a route handler is defined for the root path ("/"). When a request is made to this path, the server responds with the string "Hello World!".

Finally, the server is started and listens on port 3000 using app.listen(3000). A message is logged to the console indicating that the server is running on port 3000.

By using the helmet() and helmet.strictTransportSecurity() middleware, the code ensures that the Strict-Transport-Security header is set with an appropriate max-age value in all server responses, mitigating the vulnerability related to insecure or unset HTTP headers.

References

• 131. Insecure or unset HTTP headers - Strict Transport Security