# Protection Mechanism Failure (CWE-693)

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

**Stack:** JavaScript

- Prevalence: Alta Frequentemente explorada
- Impact: Alto 1 regras de severidade alta
- Prevention: Documentada 8 exemplos de correção

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

This weakness covers three distinct situations: Missing a protection mechanism, using a faulty protection mechanism, or incorrectly applying a protection mechanism. A missing protection mechanism occurs when the application does not defend against a specific attack. A faulty protection mechanism occurs when the application does defend against a specific attack, but the protection mechanism is not implemented correctly.

## Prevention

Estratégias de prevenção para Protection Mechanism Failure baseadas em 1 regras de detecção do Shoulder.

### JavaScript

Add Helmet middleware to set security headers automatically

## Warning Signs

- [HIGH] Application lacks security headers middleware (helmet, CSP, HSTS, X-Frame-Options, etc.).
Without these headers, the app
- [HIGH] missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing

## Consequences

- Burlar mecanismo de proteção
- Executar código não autorizado
- Obter privilégios

## Mitigations

- Implemente múltiplas camadas de segurança (defesa em profundidade)
- Use mecanismos de segurança padrão da indústria e testados em vez de implementações personalizadas
- Garanta que os mecanismos de proteção não possam ser burlados ou desativados

## Detection

- Total rules: 8
- Languages: dockerfile, go, javascript, typescript

## Rules by Language

### Javascript (1 rules)

- **Security Headers in Express.js** [HIGH]: Detects missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing.
  - Remediation: Install and configure helmet middleware:

1. Install: npm install helmet
2. Import: const helmet = require('helmet');
3. Enable: app.use(helmet());

Example:
  const express = require('express');
  const helmet = require('helmet');
  const app = express();
  app.use(helmet());

### Typescript (1 rules)

- **Security Headers in Express.js** [HIGH]: Detects missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing.
  - Remediation: Install and configure helmet middleware:

1. Install: npm install helmet
2. Import: const helmet = require('helmet');
3. Enable: app.use(helmet());

Example:
  const express = require('express');
  const helmet = require('helmet');
  const app = express();
  app.use(helmet());