🐛 [BUG] - Express template's security hotspot #130
Comments
ymw0407
added a commit
that referenced
this issue
Oct 6, 2023
11 tasks
11 tasks
ymw0407
added a commit
that referenced
this issue
Oct 6, 2023
Fix : resolve expressjs security hotspot problems #130
ymw0407
added a commit
that referenced
this issue
Oct 6, 2023
* Revert "Initial Prod Setting #107" * Feat : environment variable ORIGIN added #120 * Feat: auth/check-token controller created #121 Signed-off-by: ymw0407 <[email protected]> * Fix : fix getLicense Service that get wrong pwd #126 Signed-off-by: ymw0407 <[email protected]> Co-authored-by: Kim-Jiyun <[email protected]> * Fix : fix formatter error #126 * Fix : reading default issue file logic changed & nest-cli changed #126 Signed-off-by: ymw0407 <[email protected]> * Fix : nest-cli build without env-template folder error fixed at #125 Signed-off-by: ymw0407 <[email protected]> * Remove : detach env-template repository's submodule * Remove : remove env-template folder #125 * Add : add supportedEnv file #125 * Add : React template added #125 * Add : Express template added #125 * Add : NestJS template added #125 * Fix : resolve expressjs security hotspot problems #130 * Fix : reordering code simply --------- Signed-off-by: ymw0407 <[email protected]> Co-authored-by: Kim-Jiyun <[email protected]>
ymw0407
added a commit
that referenced
this issue
Oct 7, 2023
* Fix : dockerfile permission problem #107 * Fix : --chown=node:node has been removed #113 * Remove : remove unusable CD workflows #107 Signed-off-by: ymw0407 <[email protected]> * Fix : NODE_ENV removed & control at cloud run Signed-off-by: ymw0407 <[email protected]> * CORS error resolved & CD applied (#123) * Revert "Initial Prod Setting #107" * Feat : environment variable ORIGIN added #120 * Feat: auth/check-token controller created #121 Signed-off-by: ymw0407 <[email protected]> --------- Signed-off-by: ymw0407 <[email protected]> * Fixed to using at production(Cloud Run & Netlify) (#132) * Revert "Initial Prod Setting #107" * Feat : environment variable ORIGIN added #120 * Feat: auth/check-token controller created #121 Signed-off-by: ymw0407 <[email protected]> * Fix : fix getLicense Service that get wrong pwd #126 Signed-off-by: ymw0407 <[email protected]> Co-authored-by: Kim-Jiyun <[email protected]> * Fix : fix formatter error #126 * Fix : reading default issue file logic changed & nest-cli changed #126 Signed-off-by: ymw0407 <[email protected]> * Fix : nest-cli build without env-template folder error fixed at #125 Signed-off-by: ymw0407 <[email protected]> * Remove : detach env-template repository's submodule * Remove : remove env-template folder #125 * Add : add supportedEnv file #125 * Add : React template added #125 * Add : Express template added #125 * Add : NestJS template added #125 * Fix : resolve expressjs security hotspot problems #130 * Fix : reordering code simply --------- Signed-off-by: ymw0407 <[email protected]> Co-authored-by: Kim-Jiyun <[email protected]> --------- Signed-off-by: ymw0407 <[email protected]> Signed-off-by: Yun Min Woo <[email protected]> Co-authored-by: Kim-Jiyun <[email protected]>
ymw0407
added a commit
that referenced
this issue
Oct 11, 2023
* Revert "Initial Prod Setting #107" * Feat : environment variable ORIGIN added #120 * Feat: auth/check-token controller created #121 Signed-off-by: ymw0407 <[email protected]> * Fix : fix getLicense Service that get wrong pwd #126 Signed-off-by: ymw0407 <[email protected]> Co-authored-by: Kim-Jiyun <[email protected]> * Fix : fix formatter error #126 * Fix : reading default issue file logic changed & nest-cli changed #126 Signed-off-by: ymw0407 <[email protected]> * Fix : nest-cli build without env-template folder error fixed at #125 Signed-off-by: ymw0407 <[email protected]> * Remove : detach env-template repository's submodule * Remove : remove env-template folder #125 * Add : add supportedEnv file #125 * Add : React template added #125 * Add : Express template added #125 * Add : NestJS template added #125 * Fix : resolve expressjs security hotspot problems #130 * Fix : reordering code simply * Feat : Update Security Policy #133 Signed-off-by: Yun Min Woo <[email protected]> * Feat : getPublicRepo api added #134 Signed-off-by: ymw0407 <[email protected]> * Docs : API specs added & formatting docs files * Fix : permission greater than or equal to push can use another api #134 Signed-off-by: ymw0407 <[email protected]> * Add : senti modules added & senti/template api added #136 Signed-off-by: ymw0407 <[email protected]> * Fix : Senti module's name changed to Review #136 #137 Signed-off-by: ymw0407 <[email protected]> * Feat : review community controller added #136 #137 Signed-off-by: ymw0407 <[email protected]> * Feat : Security review controller added #136 #137 Signed-off-by: ymw0407 <[email protected]> * Chore : change unusable test indentifier * Chore : function name changed * Chore : unusable console log removed * Feat : review/file controller added & pr, issue, contributing, readme api added #140 * Docs : add review controller's sped * Docs : review controller's spec added #140 Signed-off-by: ymw0407 <[email protected]> * Feat : getRepoDetails feature added #142 Signed-off-by: ymw0407 <[email protected]> * Docs : getRepoDetails's spec added #141 --------- Signed-off-by: ymw0407 <[email protected]> Signed-off-by: Yun Min Woo <[email protected]> Co-authored-by: Kim-Jiyun <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Browsers
Firefox, Chrome, Safari, Microsoft Edge, Opera
OS
Windows, Linux, Mac
Description
This framework implicitly discloses version information by default. Make sure it is safe here.
Recommended Secure Coding Practices
In general, it is recommended to keep internal technical information within internal systems to control what attackers know about the underlying architectures. This is known as the "need to know" principle.
The most effective solution is to remove version information disclosure from what end users can see, such as the "x-powered-by" header.
This can be achieved directly through the web application code, server (nginx, apache) or firewalls.
Disabling the server signature provides additional protection by reducing the amount of information available to attackers. Note, however, that this does not provide as much protection as regular updates and patches.
Security by obscurity is the least foolproof solution of all. It should never be the only defense mechanism and should always be combined with other security measures.
Reproduction URL
https://sonarcloud.io/project/security_hotspots?id=AgainIoT_Open-Set-Go_server
Reproduction Steps
https://sonarcloud.io/project/security_hotspots?id=AgainIoT_Open-Set-Go_serverSolutions
No response
Screenshots
The text was updated successfully, but these errors were encountered: