Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:
HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).
This rule flags code which creates HTTP endpoint. It guides security code reviews to security-sensitive code.
no access control prevents attackers from successfully performing a forbidden request.
You are at risk if you answered yes to any of those questions.
Never trust any part of the request to be safe. Make sure that the URI, header and body are properly sanitized before being used. Their content, length, encoding, name (ex: name of URL query parameters) should be checked. Validate that the values are in a predefined whitelist. The opposite, i.e. searching for dangerous values in a given input, can easily miss some of them.
Do not rely solely on cookies when you implement your authentication and permission logic. Use additional protections such as CSRF tokens when possible.
Do not expose sensitive information in your response. If the endpoint serves files, limit the access to a dedicated directory. Protect your sensitive cookies so that client-side javascript cannot read or modify them.
Sanitize all values before returning them in a response, be it in the body, header or status code. Special care should be taken to avoid the following attacks:
Location header is compromised. Restrict security-sensitive actions, such as file upload, to authenticated users.
Be careful when errors are returned to the client, as they can provide sensitive information. Use 404 (Not Found) instead of 403 (Forbidden) when the existence of a resource is sensitive.
// === NodeJS built-in modules ===
const http = require('http');
const https = require('https');
// Endpoints exposed by http.Server and https.Server objects are security-sensitive and should be reviewed.
// Examples:
const srv = new http.Server((req, res) => {});
srv.listen(3000); // Questionable
// http.createServer creates a new http.Server object.
const srv = http.createServer((req, res) => {});
srv.listen(3000); // Questionable
const srv = new https.Server((req, res) => {});
srv.listen(3000); // Questionable
// https.createServer creates a new https.Server object.
const srv = https.createServer((req, res) => {});
srv.listen(3000); // Questionable
// === ExpressJS ===
const express = require('express');
const app = express();
// Endpoints exposed by ExpressJS are security-sensitive and should be reviewed.
// Example:
app.get('/', function (req, res) {});
app.post('/', function (req, res) {});
app.all('/', function (req, res) {});
app.listen(3000); // Questionable