JavaScript and TypeScript analyzers detect privacy-related security issues and missing HTTP security headers

Hello JavaScript and TypeScript developers,

You favourite analyzers were upgraded to detect two new type of security issues:

  • privacy-related problems that can lead to data leak
  • missing or disabled HTTP security headers.


Privacy-related issues are not open vulnerabilities that could be exploited directly by a hacker. For this reason, an immediate fix is not required. Instead, as a developer you should carefully review what is highlighted and take a decision whether or not you want to let your code potentially leak personal data of your users.

Here is the list of Security Hotspots added:

  • S5604: Using intrusive permissions is security-sensitive
  • S5247: Disabling auto-escaping in template engines is security-sensitive
  • S5725: Disabling resource integrity features is security-sensitive
  • S5743: Allowing browsers to perform DNS prefetching is security-sensitive
  • S5757: Allowing confidential information to be logged is security-sensitive
  • S5759: Forwarding client IP address is security-sensitive

HTTP Headers

A lot of HTTP headers exist or were introduced recently to improve security of an application or more precisely, the security of the browser when a user visits the application such as Content Security Policy.

We now detect missing or disabled security headers that help as an extra defense layer against potential attacks. They are often wrongly used, not understood or simply unknown.

Here is the list of Security Hotspots added to help you better use HTTP headers:

  • S5728: Disabling content security policy fetch directives is security-sensitive
  • S5732: Disabling content security policy frame-ancestors directive is security-sensitive
  • S5730: Allowing mixed-content is security-sensitive
  • S5734: Allowing browsers to sniff MIME types is security-sensitive
  • S5736: Disabling strict HTTP no-referrer policy is security-sensitive
  • S5739: Disabling Strict-Transport-Security policy is security-sensitive
  • S5742: Disabling Certificate Transparency monitoring is security-sensitive

These rules are available now for both JavaScript and TypeScript on SonarCloud, and will be included in SonarQube 8.6.


1 Like