Description
Critical security headers are commented out in the NodeGoat server configuration, leaving the application vulnerable to clickjacking, MIME sniffing, and other attacks.
Location
NodeGoat/server.js:38-65
Disabled Security Headers
helmet.frameguard() - Clickjacking protectionhelmet.noCache() - Cache poisoning protectionhelmet.contentSecurityPolicy() - XSS mitigationhelmet.hsts() - HTTPS enforcementnosniff() - MIME type sniffing protection
Current Code
/*
// Fix for A5 - Security MisConfig
app.disable("x-powered-by");
app.use(helmet.frameguard());
app.use(helmet.noCache());
app.use(helmet.contentSecurityPolicy());
app.use(helmet.hsts());
app.use(nosniff());
*/Risk
- Severity: Medium
- OWASP: A6:2017 - Security Misconfiguration
- CWE: CWE-693 (Protection Mechanism Failure)
Remediation
Uncomment and enable helmet middleware with appropriate configuration for the training environment.
Description
Critical security headers are commented out in the NodeGoat server configuration, leaving the application vulnerable to clickjacking, MIME sniffing, and other attacks.
Location
NodeGoat/server.js:38-65Disabled Security Headers
helmet.frameguard()- Clickjacking protectionhelmet.noCache()- Cache poisoning protectionhelmet.contentSecurityPolicy()- XSS mitigationhelmet.hsts()- HTTPS enforcementnosniff()- MIME type sniffing protectionCurrent Code
Risk
Remediation
Uncomment and enable helmet middleware with appropriate configuration for the training environment.