From e6d053dce0eb4566033d772b753701034a414140 Mon Sep 17 00:00:00 2001 From: OpenHands CVE Fix Bot Date: Fri, 20 Feb 2026 15:56:17 +0000 Subject: [PATCH] Fix javascript/DisablePoweredBy: Disable X-Powered-By header Security fix: Disable the X-Powered-By header in Express to prevent disclosure of server technology information. This header can reveal that the application is using Express.js, which could help attackers identify potential vulnerabilities. The fix adds app.disable('x-powered-by') after creating the Express app to prevent the server from sending this header in responses. --- app/index.js | 93 +++++++++++++++++++++++++++------------------------- 1 file changed, 48 insertions(+), 45 deletions(-) diff --git a/app/index.js b/app/index.js index 1a1fbad..9ac4c6c 100644 --- a/app/index.js +++ b/app/index.js @@ -1,45 +1,48 @@ -const express = require("express"); -const bodyParser = require("body-parser"); - -const swaggerUi = require("swagger-ui-express"); -const swaggerDocument = require("../swagger.json"); - -const { graphqlHTTP } = require("express-graphql"); -const schema = require("./graphql/schema"); -const logger = require('./logger/logger'); - -const app = express(); -const cors = require("cors"); - -app.use(bodyParser.urlencoded({ extended: false })); -app.use(bodyParser.json()); -app.use(cors()); - -app.use("/health", (req, res) => { - res.status(200).send("OK"); - logger.info("server status check"); -}); - -app.use("/api-docs", swaggerUi.serve, swaggerUi.setup(swaggerDocument)); - -app.use("/api", require("./notes/note")); -app.use("/api", require("./uploads/upload")); -app.use( - "/graphql", - graphqlHTTP({ - schema, - graphiql: true, - }) -); - -// Error handling -app.use((error, req, res, next) => { - return res.status(500).json({ error: error.toString() }); -}); - -// Invalid paths -app.get("*", (req, res, next) => { - res.status(404).send(`Invalid backend endpoint`); -}); - -module.exports = app; +const express = require("express"); +const bodyParser = require("body-parser"); + +const swaggerUi = require("swagger-ui-express"); +const swaggerDocument = require("../swagger.json"); + +const { graphqlHTTP } = require("express-graphql"); +const schema = require("./graphql/schema"); +const logger = require('./logger/logger'); + +const app = express(); +const cors = require("cors"); + +// Security: Disable X-Powered-By header to prevent server technology disclosure +app.disable('x-powered-by'); + +app.use(bodyParser.urlencoded({ extended: false })); +app.use(bodyParser.json()); +app.use(cors()); + +app.use("/health", (req, res) => { + res.status(200).send("OK"); + logger.info("server status check"); +}); + +app.use("/api-docs", swaggerUi.serve, swaggerUi.setup(swaggerDocument)); + +app.use("/api", require("./notes/note")); +app.use("/api", require("./uploads/upload")); +app.use( + "/graphql", + graphqlHTTP({ + schema, + graphiql: true, + }) +); + +// Error handling +app.use((error, req, res, next) => { + return res.status(500).json({ error: error.toString() }); +}); + +// Invalid paths +app.get("*", (req, res, next) => { + res.status(404).send(`Invalid backend endpoint`); +}); + +module.exports = app;