CodeQL documentation
CodeQL resources

Insecure configuration of Helmet security middleware

ID: js/insecure-helmet-configuration
Kind: problem
Security severity: 7.0
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-693
   - external/cwe/cwe-1021
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Helmet is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities. This query detects Helmet misconfigurations that can lead to security vulnerabilities, specifically:

  • Disabling frame protection

  • Disabling Content Security Policy Content Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS). Removing frame protections exposes an application to attacks such as clickjacking, where an attacker can trick a user into clicking on a button or link on a targeted page when they intended to click on the page carrying out the attack.

Users of the query can extend the set of required Helmet features by adding additional checks for them, using CodeQL data extensions in a CodeQL model pack. See CUSTOMIZING.md in the query source for more information.

Recommendation

To help mitigate these vulnerabilities, ensure that the following Helmet functions are not disabled, and are configured appropriately to your application:

  • frameguard

  • contentSecurityPolicy

Example

The following code snippet demonstrates Helmet configured in an insecure manner:

const helmet = require('helmet');

app.use(helmet({
    frameguard: false,
    contentSecurityPolicy: false
}));

In this example, the defaults are used, which enables frame protection and a default Content Security Policy.

app.use(helmet());

You can also enable a custom Content Security Policy by passing an object to the contentSecurityPolicy key. For example, taken from the Helmet docs:

app.use(
    helmet({
        contentSecurityPolicy: {
            directives: {
                "script-src": ["'self'", "example.com"],
                "style-src": null,
            },
        },
    })
);

References

  • © GitHub, Inc.
  • Terms
  • Privacy