JavaScript and TypeScript analyzers detect privacy-related security issues and missing HTTP security headers

Alexandre_Gigleux · November 19, 2020, 3:46pm

Hello JavaScript and TypeScript developers,

You favourite analyzers were upgraded to detect two new type of security issues:

privacy-related problems that can lead to data leak
missing or disabled HTTP security headers.

Privacy

Privacy-related issues are not open vulnerabilities that could be exploited directly by a hacker. For this reason, an immediate fix is not required. Instead, as a developer you should carefully review what is highlighted and take a decision whether or not you want to let your code potentially leak personal data of your users.

Here is the list of Security Hotspots added:

S5604: Using intrusive permissions is security-sensitive
S5247: Disabling auto-escaping in template engines is security-sensitive
S5725: Disabling resource integrity features is security-sensitive
S5743: Allowing browsers to perform DNS prefetching is security-sensitive
S5757: Allowing confidential information to be logged is security-sensitive
S5759: Forwarding client IP address is security-sensitive

HTTP Headers

A lot of HTTP headers exist or were introduced recently to improve security of an application or more precisely, the security of the browser when a user visits the application such as Content Security Policy.

We now detect missing or disabled security headers that help as an extra defense layer against potential attacks. They are often wrongly used, not understood or simply unknown.

Here is the list of Security Hotspots added to help you better use HTTP headers:

S5728: Disabling content security policy fetch directives is security-sensitive
S5732: Disabling content security policy frame-ancestors directive is security-sensitive
S5730: Allowing mixed-content is security-sensitive
S5734: Allowing browsers to sniff MIME types is security-sensitive
S5736: Disabling strict HTTP no-referrer policy is security-sensitive
S5739: Disabling Strict-Transport-Security policy is security-sensitive
S5742: Disabling Certificate Transparency monitoring is security-sensitive

These rules are available now for both JavaScript and TypeScript on SonarCloud, and will be included in SonarQube 8.6.

Alex

Topic	Replies	Views
JavaScript and TypeScript analyzers help to detect non-encrypted communications, zip bomb attacks sensitive code Sonar Updates javascript , typescript , security	867	January 11, 2021
Security code reviews now available in TypeScript and 4 new Code Smell rules for JavaScript Sonar Updates javascript , typescript , sonarqube-cloud	1163	October 14, 2019
JavaScript and TypeScript analyzers detect cryptography-related security issues Sonar Updates javascript , typescript , security , crypto	1318	October 27, 2020
All new TypeScript and JavaScript rules as well as 5 additional JavaScript Code Smells now available in SonarQube Sonar Updates javascript , typescript	965	December 4, 2019
JavaScript analyzer detects Express's bad security configuration practices and XXE vulnerabilities Sonar Updates javascript , security	954	October 5, 2020

JavaScript and TypeScript analyzers detect privacy-related security issues and missing HTTP security headers

Related topics