UNPKG

eslint-plugin-weblint-security

Version:

ESLint rules for enhanced security - even for React and Node.js!

github.com/MarkKragerup/weblint-eslint-security

51 lines (36 loc) 1.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# Disallow use of ExpressJS applications without the use of Helmet.js defaults, due to the concern that the HTTP headers might be insecurely configured ## Rule details The following patterns are considered warnings: ```javascript const myOddlyNamedApp = require("express"); const myHelmetImport = require('helmet'); // Helmet is imported, but never used. The namings are weird to display implementation versatility. myOddlyNamedApp.listen(8080); ``` ```javascript const app = require("express"); const helmet = require("helmet"); // Uses helmet expectCt, but not the default configurations app.use(helmet.expectCt({maxAge: 3600, enforce: true})); app.listen(8080); ``` ```javascript const app = require("express"); ... app.listen(8080); ``` The following patterns are NOT considered warnings: ```javascript const app = require("express") const helmet = require('helmet') // Helmet is used, with the default configurations app.use(helmet()) app.listen(8080) ``` ```javascript const app = require("express") const myHelmet = require('helmet') // Helmet is used, with the default configurations app.use(myHelmet()) app.listen(8080) ```