Skip to content

Commit 68e21a5

Browse files
aegilopsaegilops
committed
Fixed query help formatting issues
1 parent bda794f commit 68e21a5

File tree

1 file changed

+42
-38
lines changed

1 file changed

+42
-38
lines changed

javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp

Lines changed: 42 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,14 @@
55
<a href="https://helmetjs.github.io/">Helmet</a> is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities.
66

77
This query detects Helmet misconfigurations that can lead to security vulnerabilities, specifically:
8+
</p>
89

9-
<ul>
10-
<li>Disabling frame protection</li>
11-
<li>Disabling Content Security Policy</li>
12-
</ul>
10+
<ul>
11+
<li>Disabling frame protection</li>
12+
<li>Disabling Content Security Policy</li>
13+
</ul>
1314

15+
<p>
1416
Content Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS).
1517

1618
Removing frame protections exposes an application to attacks such as clickjacking, where an attacker can trick a user into clicking on a button or link on a targeted page when they intended to click on the page carrying out the attack.
@@ -19,53 +21,55 @@
1921
<recommendation>
2022
<p>
2123
To help mitigate these vulnerabilities, ensure that the following Helmet functions are not disabled, and are configured appropriately to your application:
22-
<ul>
23-
<li><code>frameguard</code></li>
24-
<li><code>contentSecurityPolicy</code></li>
25-
</ul>
2624
</p>
25+
26+
<ul>
27+
<li><code>frameguard</code></li>
28+
<li><code>contentSecurityPolicy</code></li>
29+
</ul>
2730
</recommendation>
2831
<example>
2932
<p>
3033
The following code snippet demonstrates Helmet configured in an insecure manner:
31-
<code class="language-javascript">
32-
const helmet = require('helmet');
33-
app.use(helmet({
34-
frameguard: false,
35-
contentSecurityPolicy: false
36-
}));
37-
</code>
3834
</p>
35+
36+
<pre>
37+
const helmet = require('helmet');
38+
app.use(helmet({
39+
frameguard: false,
40+
contentSecurityPolicy: false
41+
}));
42+
</pre>
43+
3944
<p>
4045
In this example, the defaults are used, which enables frame protection and a default Content Security Policy.
46+
</p>
4147

42-
<code class="language-javascript">
43-
app.use(helmet());
44-
</code>
45-
46-
You can also enable a custom Content Security Policy by passing an object to the <code>contentSecurityPolicy</code> key. For example, taken from the <a href="https://helmetjs.github.io/#content-security-policy">Helmet docs:
48+
<pre>
49+
app.use(helmet());
50+
</pre>
4751

48-
<code class="language-javascript">
49-
app.use(
50-
helmet({
51-
contentSecurityPolicy: {
52-
directives: {
53-
"script-src": ["'self'", "example.com"],
54-
"style-src": null,
55-
},
56-
},
57-
})
58-
);
59-
<code>
6052
<p>
61-
53+
You can also enable a custom Content Security Policy by passing an object to the <code>contentSecurityPolicy</code> key. For example, taken from the <a href="https://helmetjs.github.io/#content-security-policy">Helmet docs</a>:
6254
</p>
55+
56+
<pre>
57+
app.use(
58+
helmet({
59+
contentSecurityPolicy: {
60+
directives: {
61+
"script-src": ["'self'", "example.com"],
62+
"style-src": null,
63+
},
64+
},
65+
})
66+
);
67+
</pre>
68+
6369
</example>
6470
<references>
65-
<ul>
66-
<li>
67-
<a href="https://helmetjs.github.io/">helmet.js website</a>
68-
</li>
69-
</ul>
71+
<li>
72+
<a href="https://helmetjs.github.io/">helmet.js website</a>
73+
</li>
7074
</references>
7175
</qhelp>

0 commit comments

Comments
 (0)