Mitigating reflected XSS in node/express requests for static assets Mitigating reflected XSS in node/express requests for static assets express express

Mitigating reflected XSS in node/express requests for static assets


angularjs node.js security express content-security-policy

The cause of the issue is that for invalid GET requests express will return something like:

Cannot GET /pathname/?yourQueryString

Which in many cases is a valid response, even for serving static assets. However, in my case and I'm sure for others the only valid requests for static assets will be something like:

GET /pathname/your-file.jpg

I have a custom 404 handler that returns a data object:

var data = {    status: 404,    message: 'Not Found',    description: description,    url: req.url};

This is only handled for invalid template requests in app.js with:

app.use('/template-path/*', function(req, res, next) {    custom404.send404(req, res);});

I've now added explicit handlers for requests to static folders:

app.use('/static-path/*', function(req, res, next) {        custom404.send404(req, res);});

Optionally I could also strip out request query params before the 404 is returned:

var data = {    status: 404,    message: 'Not Found',    description: description,    url: url.parse(req.url).pathname // needs a var url = require('url')};

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last