Search code examples
javascriptnode.jshstssecure-codingcheckmarx

Checkmarx scan - how to fix Missing_HSTS_Header warning?


after running Checkmarx scan on my Node.js application, I got a warning of Medium severity -> Missing_HSTS_Header. On this piece of code that just returns the content of metadata.json file (highlighted as a source of error is "res.json").

const app = express();
app.get('/metadata', (req, res, next) => {
    res.json(JSON.parse(fs.readFileSync(path.join(__dirname, 'metadata.json'), 'utf8')));
});

Initially, it looked like an easy fix. For example, in this link, I found 3 possible solutions - https://github.com/cloudfoundry-incubator/service-fabrik-broker/issues/445 .

But the problem is that none of those works. I tried to use helmet, I useds hsts npm package, I did explicitly set hsts code in console with this command.

res.setHeader("Strict-Transport-Security", "max-age=31536000");

Yet, Checkmarx still complains. Did someone else also experience this? If yes, do you have the idea what could be wrong and why all solutions posted online do not work? Thank you

EDIT: Here, I found an explicit way in Checkmarx documentation, but the waring keeps appearing - https://github.com/Checkmarx/JS-SCP/blob/master/src/communication-security/ssl-tls.md


Solution

  • We had same issue with checkmarx. You can resolve this by setting the header :

    res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");