@sun-asterisk/sunlint/rules/security/S038_no_version_headers/config.json

☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards

{
  "id": "S038",
  "name": "Do not expose version information in response headers",
  "category": "security",
  "description": "S038 - Prevent exposure of server version information through response headers (Server, X-Powered-By, X-AspNet-Version, etc.) to reduce information disclosure and potential attack vectors.",
  "severity": "warning",
  "enabled": true,
  "semantic": {
    "enabled": true,
    "priority": "medium",
    "fallback": "heuristic"
  },
  "patterns": {
    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
    "exclude": [
      "**/*.test.js",
      "**/*.test.ts",
      "**/*.spec.js",
      "**/*.spec.ts",
      "**/node_modules/**",
      "**/dist/**",
      "**/build/**"
    ]
  },
  "analysis": {
    "approach": "symbol-based-primary",
    "fallback": "regex-based",
    "depth": 1,
    "timeout": 4000
  },
  "validation": {
    "headerSetters": ["setHeader", "set", "header"],
    "versionHeaders": [
      "Server",
      "X-Powered-By",
      "X-AspNet-Version",
      "X-AspNetMvc-Version",
      "X-Generator",
      "X-Runtime",
      "X-Version",
      "X-Framework"
    ],
    "middleware": {
      "express": ["helmet", "disable-x-powered-by"],
      "nestjs": ["helmet"],
      "nextjs": ["security-headers"]
    }
  }
}