javascript - Checkmarx scan - how to fix Missing_HSTS_Header warning? - Stack Overflow

after running Checkmarx scan on my Node.js application, I got a warning of Medium severity -> Missing_HSTS_Header. On this piece of code that just returns the content of metadata.json file (highlighted as a source of error is "res.json").

const app = express();
app.get('/metadata', (req, res, next) => {
    res.json(JSON.parse(fs.readFileSync(path.join(__dirname, 'metadata.json'), 'utf8')));
});

Initially, it looked like an easy fix. For example, in this link, I found 3 possible solutions - .

But the problem is that none of those works. I tried to use helmet, I useds hsts npm package, I did explicitly set hsts code in console with this mand.

res.setHeader("Strict-Transport-Security", "max-age=31536000");

Yet, Checkmarx still plains. Did someone else also experience this? If yes, do you have the idea what could be wrong and why all solutions posted online do not work? Thank you

EDIT: Here, I found an explicit way in Checkmarx documentation, but the waring keeps appearing - .md

after running Checkmarx scan on my Node.js application, I got a warning of Medium severity -> Missing_HSTS_Header. On this piece of code that just returns the content of metadata.json file (highlighted as a source of error is "res.json").

const app = express();
app.get('/metadata', (req, res, next) => {
    res.json(JSON.parse(fs.readFileSync(path.join(__dirname, 'metadata.json'), 'utf8')));
});

Initially, it looked like an easy fix. For example, in this link, I found 3 possible solutions - https://github./cloudfoundry-incubator/service-fabrik-broker/issues/445 .

But the problem is that none of those works. I tried to use helmet, I useds hsts npm package, I did explicitly set hsts code in console with this mand.

res.setHeader("Strict-Transport-Security", "max-age=31536000");

Yet, Checkmarx still plains. Did someone else also experience this? If yes, do you have the idea what could be wrong and why all solutions posted online do not work? Thank you

EDIT: Here, I found an explicit way in Checkmarx documentation, but the waring keeps appearing - https://github./Checkmarx/JS-SCP/blob/master/src/munication-security/ssl-tls.md

• javascript
• node.js
• hsts
• secure-coding
• checkmarx

Share Improve this question Follow edited Nov 19, 2020 at 9:21 securecodeninja 2,51533 gold badges1919 silver badges2323 bronze badges asked Nov 18, 2020 at 12:28 JozefJozef 49311 gold badge1212 silver badges4444 bronze badges 2

• @Josef does Checkmarx at least recognize where the res.setHeader line was and shows up in the data flow? – securecodeninja Commented Nov 19, 2020 at 2:02
• 4 In the end, it looks like checkmarx bug - because when I call the endpoint and check the response, the header is present (CM also recognizes the res.setHeader() line) – Jozef Commented Nov 19, 2020 at 10:32

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 5

We had the same issue with checkmarx. Apparently, checkmark has a bug by expecting everything on a single line.

You can resolve this by setting the header and sending the response in one line

res.setHeader("Strict-Transport-Security", "max-age=31536000").json(JSON.parse(fs.readFileSync(path.join(__dirname, 'metadata.json'), 'utf8')));

We had same issue with checkmarx. You can resolve this by setting the header :

res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");