Security Audit of HackMyResume
ISGroup SRL performed an automated Code Review (not a real Static Analysis, more a grep-on-steroid) of this NodeJS project in order to identify potential security vulnerabilities. We do not guarantee that all the findings are valid, and for sure there are plenty of false-positives and false-negatives (undetected issues) but it's free and your project could benefit from this security analisys. The following data is also available in JSON format!
Possible Security Issues
|Remote OS Command Execution
||User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
|Server Side Injection(SSI) - setTimeout()
||User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).
|Server Side Injection(SSI) - eval()
||User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).
Missing Security Features
|Missing Security Header - X-Frame-Options (XFO)
||X-Frame-Options (XFO) header provides protection against Clickjacking attacks.
|Missing Security Header - Content-Security-Policy (CSP)
||Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found.
|Missing Security Header - Strict-Transport-Security (HSTS)
||Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server.
|Missing 'httpOnly' in Cookie
|Infromation Disclosure - X-Powered-By
||Remove the X-Powered-By header to prevent information gathering.
|Missing Security Header - X-Content-Type-Options
||X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.
|Missing Security Header - X-Download-Options: noopen
||X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context.
|Missing Security Header - X-XSS-Protection:1
||X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers.
|Missing Security Header - Public-Key-Pins (HPKP)
||Public-Key-Pins (HPKP) ensures that certificate is Pinned.