Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

JavaScript static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVASCRIPT code

Tags

Impact

Clean code attribute

Creating public APIs is security-sensitive
Security Hotspot
Allowing public network access to cloud resources is security-sensitive
Security Hotspot
Policies granting all privileges are security-sensitive
Security Hotspot
Disabling Vue.js built-in escaping is security-sensitive
Security Hotspot
Policies authorizing public access to resources are security-sensitive
Security Hotspot
Disabling Angular built-in sanitization is security-sensitive
Security Hotspot
Granting access to S3 buckets to all or authenticated users is security-sensitive
Security Hotspot
Hard-coded credentials are security-sensitive
Security Hotspot
Allowing public ACLs or policies on a S3 bucket is security-sensitive
Security Hotspot
Authorizing HTTP communications with S3 buckets is security-sensitive
Security Hotspot
Using slow regular expressions is security-sensitive
Security Hotspot
Using publicly writable directories is security-sensitive
Security Hotspot
Using clear-text protocols is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Disabling CSRF protections is security-sensitive
Security Hotspot
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Dynamically executing code is security-sensitive
Security Hotspot
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
Using unencrypted EFS file systems is security-sensitive
Security Hotspot
Using unencrypted SQS queues is security-sensitive
Security Hotspot
Using unencrypted SNS topics is security-sensitive
Security Hotspot
Using unencrypted SageMaker notebook instances is security-sensitive
Security Hotspot
Using unencrypted Elasticsearch domains is security-sensitive
Security Hotspot
Using unencrypted RDS DB resources is security-sensitive
Security Hotspot
Using unencrypted EBS volumes is security-sensitive
Security Hotspot
Allowing requests with excessive content length is security-sensitive
Security Hotspot
Statically serving hidden files is security-sensitive
Security Hotspot
Using intrusive permissions is security-sensitive
Security Hotspot
Disabling auto-escaping in template engines is security-sensitive
Security Hotspot
Using shell interpreter when executing OS commands is security-sensitive
Security Hotspot
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
Disabling versioning of S3 buckets is security-sensitive
Security Hotspot
Forwarding client IP address is security-sensitive
Security Hotspot
Allowing confidential information to be logged is security-sensitive
Security Hotspot
Disabling Certificate Transparency monitoring is security-sensitive
Security Hotspot
Disabling Strict-Transport-Security policy is security-sensitive
Security Hotspot
Disabling strict HTTP no-referrer policy is security-sensitive
Security Hotspot
Allowing browsers to sniff MIME types is security-sensitive
Security Hotspot
Disabling content security policy frame-ancestors directive is security-sensitive
Security Hotspot
Allowing mixed-content is security-sensitive
Security Hotspot
Disabling content security policy fetch directives is security-sensitive
Security Hotspot
Using remote artifacts without integrity checks is security-sensitive
Security Hotspot
Disclosing fingerprints from web application technologies is security-sensitive
Security Hotspot
Authorizing an opened window to access back to the originating window is security-sensitive
Security Hotspot
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Searching OS commands in PATH is security-sensitive
Security Hotspot
Creating cookies without the "HttpOnly" flag is security-sensitive
Security Hotspot
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Using hardcoded IP addresses is security-sensitive
Security Hotspot
Policies granting access to all resources of an account are security-sensitive
Security Hotspot
Reading the Standard Input is security-sensitive
Security Hotspot
Using command line arguments is security-sensitive
Security Hotspot
Using Sockets is security-sensitive
Security Hotspot
Executing XPath expressions is security-sensitive
Security Hotspot
Encrypting data is security-sensitive
Security Hotspot
Using regular expressions is security-sensitive
Security Hotspot
Disabling server-side encryption of S3 buckets is security-sensitive
Security Hotspot
Allowing browsers to perform DNS prefetching is security-sensitive
Security Hotspot
Writing cookies is security-sensitive
Security Hotspot

Forwarding client IP address is security-sensitive

intentionality - complete

security

Security Hotspot

MinorSonarSource default severity
click to learn more

privacy
express.js

Users often connect to web servers through HTTP proxies.

Proxy can be configured to forward the client IP address via the X-Forwarded-For or Forwarded HTTP headers.

IP address is a personal information which can identify a single user and thus impact his privacy.

Ask Yourself Whether

The web application uses reverse proxies or similar but doesn’t need to know the IP address of the user.

There is a risk if you answered yes to this question.

Recommended Secure Coding Practices

User IP address should not be forwarded unless the application needs it, as part of an authentication, authorization scheme or log management for examples.

Sensitive Code Example

node-http-proxy

var httpProxy = require('http-proxy');

httpProxy.createProxyServer({target:'http://localhost:9000', xfwd:true}) // Noncompliant
  .listen(8000);

http-proxy-middleware

var express = require('express');

const { createProxyMiddleware } = require('http-proxy-middleware');

const app = express();

app.use('/proxy', createProxyMiddleware({ target: 'http://localhost:9000', changeOrigin: true, xfwd: true })); // Noncompliant
app.listen(3000);

Compliant Solution

node-http-proxy

var httpProxy = require('http-proxy');

// By default xfwd option is false
httpProxy.createProxyServer({target:'http://localhost:9000'}) // Compliant
  .listen(8000);

http-proxy-middleware

var express = require('express');

const { createProxyMiddleware } = require('http-proxy-middleware');

const app = express();

// By default xfwd option is false
app.use('/proxy', createProxyMiddleware({ target: 'http://localhost:9000', changeOrigin: true})); // Compliant
app.listen(3000);

See

OWASP - Top 10 2021 Category A5 - Security Misconfiguration
OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
developer.mozilla.org - X-Forwarded-For

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy

In-IDE

SaaS

Self-Hosted