ISGroup SRL performed an automated Code Review (not a real Static Analysis, more a grep-on-steroid) of this NodeJS project in order to identify potential security vulnerabilities. We do not guarantee that all the findings are valid, and for sure there are plenty of false-positives and false-negatives (undetected issues) but it's free and your project could benefit from this security analisys. The following data is also available in JSON format!
Issue | Description | Line | File |
---|---|---|---|
Weak Hash used - SHA1 | SHA1 is a a weak hash which is known to have collision. Use a strong hashing function. | 24 | test/scripts/hexo/router.js |
Weak Hash used - MD5 | MD5 is a a weak hash which is known to have collision. Use a strong hashing function. | 10 | test/scripts/helpers/gravatar.js |
Key Hardcoded | A hardcoded key in plain text was identified. | 9 | lib/hexo/register_models.js |
Key Hardcoded | A hardcoded key in plain text was identified. | 61 | lib/hexo/locals.js |
Key Hardcoded | A hardcoded key in plain text was identified. | 75 | lib/hexo/post.js |
Key Hardcoded | A hardcoded key in plain text was identified. | 127 | lib/hexo/post.js |
Key Hardcoded | A hardcoded key in plain text was identified. | 65 | lib/plugins/filter/new_post_path.js |
Key Hardcoded | A hardcoded key in plain text was identified. | 36 | lib/plugins/filter/post_permalink.js |
Key Hardcoded | A hardcoded key in plain text was identified. | 34 | lib/plugins/console/new.js |
Weak Hash used - MD5 | MD5 is a a weak hash which is known to have collision. Use a strong hashing function. | 7 | lib/plugins/helper/gravatar.js |
Key Hardcoded | A hardcoded key in plain text was identified. | 17 | lib/plugins/helper/link_to.js |
Key Hardcoded | A hardcoded key in plain text was identified. | 18 | lib/plugins/helper/mail_to.js |
Key Hardcoded | A hardcoded key in plain text was identified. | 13 | lib/plugins/helper/image_tag.js |
Key Hardcoded | A hardcoded key in plain text was identified. | 74 | lib/theme/view.js |
Issue | Description |
---|---|
Missing Security Header - X-Frame-Options (XFO) | X-Frame-Options (XFO) header provides protection against Clickjacking attacks. |
Missing Security Header - Content-Security-Policy (CSP) | Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found. |
Missing Security Header - Strict-Transport-Security (HSTS) | Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server. |
Missing 'httpOnly' in Cookie | JavaScript can access Cookies if they are not marked httpOnly. |
Infromation Disclosure - X-Powered-By | Remove the X-Powered-By header to prevent information gathering. |
Missing Security Header - X-Content-Type-Options | X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. |
Missing Security Header - X-Download-Options: noopen | X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context. |
Missing Security Header - X-XSS-Protection:1 | X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers. |
Missing Security Header - Public-Key-Pins (HPKP) | Public-Key-Pins (HPKP) ensures that certificate is Pinned. |
File | Library | Reference |
---|