Hi,
I’ve been running security checks on my Meteor application using ZAP (an automated security scanning tool).
I’ve been able to solve a lot of security issues, but I’m still getting warnings on part of application. For example, the following error:
Web Browser XSS Protection is not enabled, or is disabled by the configuration of the ‘X-XSS-Protection’ HTTP response header on the web server
These warnings have to do with the HTTP headers.
The following code solves the above header security concerns on all normal pages:
WebApp.rawConnectHandlers.use(function(req, res, next) {
res.setHeader('X-XSS-Protection', '1; mode=block');
next();
});
But on all /sockjs/info?cb=XXX calls (eg. /sockjs/info?cb=4yiv7ncev4) those headers added with res.setHeader() are not included. If I understand correctly this are calls between server and client, like subscriptions or calls to Meteor methods.
Is there any way to include extra headers in these websocket connections?
Thank you so much for your help