This rule is deprecated, and will eventually be removed.
By default, web browsers perform DNS prefetching to reduce
latency due to DNS resolutions required when an user clicks links from a website page.
For instance on example.com the hyperlink below contains a cross-origin domain name that must be resolved to an IP address by the web browser:
<a href="https://otherexample.com">go on our partner website</a>
It can add significant latency during requests, especially if the page contains many links to cross-origin domains. DNS prefetch allows web
browsers to perform DNS resolving in the background before the user clicks a link. This feature can cause privacy issues because DNS resolving from
the user’s computer is performed without his consent if he doesn’t intent to go to the linked website.
On a complex private webpage, a combination "of unique links/DNS resolutions" can indicate, to a eavesdropper for instance, that the user is
visiting the private page.
Ask Yourself Whether
- Links to cross-origin domains could result in leakage of confidential information about the user’s navigation/behavior of the website.
There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
Implement X-DNS-Prefetch-Control header with an
off value but this could significantly degrade website performances.
Sensitive Code Example
In Express.js application the code is sensitive if the dns-prefetch-control
middleware is disabled or used without the recommended value:
const express = require('express');
const helmet = require('helmet');
let app = express();
app.use(
helmet.dnsPrefetchControl({
allow: true // Sensitive: allowing DNS prefetching is security-sensitive
})
);
Compliant Solution
In Express.js application the dns-prefetch-control or helmet middleware is the standard way to implement X-DNS-Prefetch-Control header:
const express = require('express');
const helmet = require('helmet');
let app = express();
app.use(
helmet.dnsPrefetchControl({
allow: false // Compliant
})
);
See
