Mitigating reflected XSS in node/express requests for static assets
The cause of the issue is that for invalid GET
requests express will return something like:
Cannot GET /pathname/?yourQueryString
Which in many cases is a valid response, even for serving static assets. However, in my case and I'm sure for others the only valid requests for static assets will be something like:
GET /pathname/your-file.jpg
I have a custom 404 handler that returns a data object:
var data = { status: 404, message: 'Not Found', description: description, url: req.url};
This is only handled for invalid template requests in app.js
with:
app.use('/template-path/*', function(req, res, next) { custom404.send404(req, res);});
I've now added explicit handlers for requests to static folders:
app.use('/static-path/*', function(req, res, next) { custom404.send404(req, res);});
Optionally I could also strip out request query params before the 404 is returned:
var data = { status: 404, message: 'Not Found', description: description, url: url.parse(req.url).pathname // needs a var url = require('url')};