-
Notifications
You must be signed in to change notification settings - Fork 634
/
disallowed-headers.ts
78 lines (66 loc) 路 2.58 KB
/
disallowed-headers.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
/**
* @fileoverview Check if responses contain certain disallowed HTTP headers.
*/
// ------------------------------------------------------------------------------
// Requirements
// ------------------------------------------------------------------------------
import { IFetchEndEvent, IRule, IRuleBuilder } from '../../interfaces'; // eslint-disable-line no-unused-vars
import { RuleContext } from '../../rule-context'; // eslint-disable-line no-unused-vars
import { getIncludedHeaders, mergeIgnoreIncludeArrays } from '../../util/rule-helpers';
// ------------------------------------------------------------------------------
// Public
// ------------------------------------------------------------------------------
const rule: IRuleBuilder = {
create(context: RuleContext): IRule {
let disallowedHeaders = [
'server',
'x-aspnet-version',
'x-aspnetmvc-version',
'x-powered-by',
'x-runtime',
'x-version'
];
const loadRuleConfigs = () => {
const includeHeaders = (context.ruleOptions && context.ruleOptions.include) || [];
const ignoreHeaders = (context.ruleOptions && context.ruleOptions.ignore) || [];
disallowedHeaders = mergeIgnoreIncludeArrays(disallowedHeaders, ignoreHeaders, includeHeaders);
};
const validate = (fetchEnd: IFetchEndEvent) => {
const { element, resource } = fetchEnd;
const headers = getIncludedHeaders(fetchEnd.response.headers, disallowedHeaders);
if (headers.length > 0) {
context.report(resource, element, `Disallowed HTTP header${headers.length > 1 ? 's' : ''} found: ${headers.join(', ')}`);
}
};
loadRuleConfigs();
return {
'fetch::end': validate,
'targetfetch::end': validate
};
},
meta: {
docs: {
category: 'security',
description: 'Disallow certain HTTP headers',
recommended: true
},
fixable: 'code',
schema: {
additionalProperties: false,
definitions: {
'string-array': {
items: { type: 'string' },
minItems: 1,
type: 'array',
uniqueItems: true
}
},
properties: {
ignore: { $ref: '#/definitions/string-array' },
include: { $ref: '#/definitions/string-array' }
},
type: ['object', null]
}
}
};
module.exports = rule;