Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

JavaScript static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVASCRIPT code

Filtered: 17 rules found

express.js

Impact

Clean code attribute

Disclosing fingerprints from web application technologies is security-sensitive

intentionality - complete

security

Security Hotspot

MinorSonarSource default severity
click to learn more

Disclosure of version information, usually overlooked by developers but disclosed by default by the systems and frameworks in use, can pose a significant security risk depending on the production environement.

Once this information is public, attackers can use it to identify potential security holes or vulnerabilities specific to that version.

Furthermore, if the published version information indicates the use of outdated or unsupported software, it becomes easier for attackers to exploit known vulnerabilities. They can search for published vulnerabilities related to that version and launch attacks that specifically target those vulnerabilities.

Ask Yourself Whether

Version information is accessible to end users.
Internal systems do not benefit from timely patch management workflows.

There is a risk if you answered yes to any of these questions.

Recommended Secure Coding Practices

In general, it is recommended to keep internal technical information within internal systems to control what attackers know about the underlying architectures. This is known as the "need to know" principle.

The most effective solution is to remove version information disclosure from what end users can see, such as the "x-powered-by" header.
This can be achieved directly through the web application code, server (nginx, apache) or firewalls.

Disabling the server signature provides additional protection by reducing the amount of information available to attackers. Note, however, that this does not provide as much protection as regular updates and patches.
Security by obscurity is the least foolproof solution of all. It should never be the only defense mechanism and should always be combined with other security measures.

Sensitive Code Example

In Express.js, version information is disclosed by default in the x-powered-by HTTP header:

let express = require('express');

let example = express(); // Sensitive

example.get('/', function (req, res) {
  res.send('example')
});

Compliant Solution

x-powered-by HTTP header should be disabled in Express.js with app.disable:

let express = require('express');

let example = express();
example.disable("x-powered-by");

Or with helmet’s hidePoweredBy middleware:

let helmet = require("helmet");

let example = express();
example.use(helmet.hidePoweredBy());

See

OWASP - Top 10 2021 Category A5 - Security Misconfiguration
OWASP Testing Guide - OTG-INFO-008 - Fingerprint Web Application Framework
OWASP - Top 10 2017 Category A6 - Security Misconfiguration
CWE - CWE-200 - Information Exposure

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted