You favourite analyzers were upgraded to detect two new type of security issues:
- privacy-related problems that can lead to data leak
- missing or disabled HTTP security headers.
Privacy-related issues are not open vulnerabilities that could be exploited directly by a hacker. For this reason, an immediate fix is not required. Instead, as a developer you should carefully review what is highlighted and take a decision whether or not you want to let your code potentially leak personal data of your users.
Here is the list of Security Hotspots added:
- S5604: Using intrusive permissions is security-sensitive
- S5247: Disabling auto-escaping in template engines is security-sensitive
- S5725: Disabling resource integrity features is security-sensitive
- S5743: Allowing browsers to perform DNS prefetching is security-sensitive
- S5757: Allowing confidential information to be logged is security-sensitive
- S5759: Forwarding client IP address is security-sensitive
A lot of HTTP headers exist or were introduced recently to improve security of an application or more precisely, the security of the browser when a user visits the application such as Content Security Policy.
We now detect missing or disabled security headers that help as an extra defense layer against potential attacks. They are often wrongly used, not understood or simply unknown.
Here is the list of Security Hotspots added to help you better use HTTP headers:
- S5728: Disabling content security policy fetch directives is security-sensitive
- S5732: Disabling content security policy frame-ancestors directive is security-sensitive
- S5730: Allowing mixed-content is security-sensitive
- S5734: Allowing browsers to sniff MIME types is security-sensitive
- S5736: Disabling strict HTTP no-referrer policy is security-sensitive
- S5739: Disabling Strict-Transport-Security policy is security-sensitive
- S5742: Disabling Certificate Transparency monitoring is security-sensitive