Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
This weakness covers three distinct situations: Missing a protection mechanism, using a faulty protection mechanism, or incorrectly applying a protection mechanism. A missing protection mechanism occurs when the application does not defend against a specific attack. A faulty protection mechanism occurs when the application does defend against a specific attack, but the protection mechanism is not implemented correctly.
How to fix this vulnerability
Prevention strategies for Protection Mechanism Failure based on 8 Shoulder detection rules.
Add a HEALTHCHECK instruction to enable container health monitoring
FROM node:24-alpine WORKDIR /app COPY . . EXPOSE 3000 + HEALTHCHECK --interval=30s --timeout=10s --retries=3 \ + CMD curl -f http://localhost:3000/health || exit 1 CMD ["node", "server.js"]
Add security headers middleware to Chi router
package main import ( "net/http" "github.com/go-chi/chi/v5" ) - func main() { - r := chi.NewRouter() + func securityHeaders(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("X-Frame-Options", "DENY") + w.Header().Set("X-Content-Type-Options", "nosniff") + w.Header().Set("X-XSS-Protection", "1; mode=block") + next.ServeHTTP(w, r) + }) + } + + func main() { + r := chi.NewRouter() + r.Use(securityHeaders) r.Get("/", homeHandler) http.ListenAndServe(":8080", r) }
Add Echo Secure middleware to set security HTTP headers
package main - import "github.com/labstack/echo/v4" - - func main() { - e := echo.New() + import ( + "github.com/labstack/echo/v4" + "github.com/labstack/echo/v4/middleware" + ) + + func main() { + e := echo.New() + e.Use(middleware.SecureWithConfig(middleware.SecureConfig{ + XFrameOptions: "DENY", + ContentTypeNosniff: "nosniff", + XSSProtection: "1; mode=block", + ContentSecurityPolicy: "default-src 'self'", + })) e.GET("/", homeHandler) e.Start(":8080") }
Add Fiber Helmet middleware to set security HTTP headers
package main - import "github.com/gofiber/fiber/v2" - - func main() { - app := fiber.New() + import ( + "github.com/gofiber/fiber/v2" + "github.com/gofiber/fiber/v2/middleware/helmet" + ) + + func main() { + app := fiber.New() + app.Use(helmet.New()) app.Get("/", homeHandler) app.Listen(":3000") }
Add Helmet middleware to set security headers automatically
const express = require('express'); - const app = express(); + const helmet = require('helmet'); + const app = express(); + + app.use(helmet()); app.get('/', (req, res) => { res.send('<h1>Hello</h1>'); });
Find vulnerabilities in your code
Use Shoulder to scan your codebase for Protection Mechanism Failure patterns. 8 rules.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=693 # Or scan entire project npx @shoulderdev/cli trust .
Detection Rules (8)
What to watch for in code reviews
These patterns indicate potential Protection Mechanism Failure vulnerabilities. Look for these during code reviews and security audits.
Scan your codebase for Protection Mechanism Failure
Shoulder CLI finds vulnerable patterns across your entire codebase.