I have the following code which is throwing an error in the Fortify tool:
const headerCopy = (req, resp, next) => {
if (req.headers["iv-user"]) {
resp.setHeader("iv-user", req.headers["iv-user"]);
resp.setHeader("token", process.env.TOKEN);
}
if (req.get("referer")) {
resp.setHeader("referer", req.get("referer"));
}
next();
}
app.use(headerCopy, express.static(path.join(__dirname, './build')));
app.get('*', headerCopy, function (req, res) {
res.sendFile(path.join(__dirname, 'build', 'index.html'));
});
app.listen(port, () => {
console.log(`MainApp listening at http://localhost:${port}`)
})
The error in the Fortify tool complains with the following msg:
The method headerCopy() in MainApp.js includes unvalidated data in an
HTTP response header on line 11. This enables attacks such as
cache-poisoning, cross-site scripting, cross-user defacement, page
hijacking, cookie manipulation or open redirect.
Can someone please help me with this error?