# Protection Mechanism Failure (CWE-693) The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. - Prevalence: High Frequently exploited - Impact: High 1 high-severity rules - Prevention: Documented 8 fix examples **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description This weakness covers three distinct situations: Missing a protection mechanism, using a faulty protection mechanism, or incorrectly applying a protection mechanism. A missing protection mechanism occurs when the application does not defend against a specific attack. A faulty protection mechanism occurs when the application does defend against a specific attack, but the protection mechanism is not implemented correctly. ## Prevention Prevention strategies for Protection Mechanism Failure based on 8 Shoulder detection rules. ### Docker Add a HEALTHCHECK instruction to enable container health monitoring ### Go Add security headers middleware to Chi router Add Echo Secure middleware to set security HTTP headers Add Fiber Helmet middleware to set security HTTP headers ### Node.js Add Helmet middleware to set security headers automatically ## Warning Signs - [HIGH] Application lacks security headers middleware (helmet, CSP, HSTS, X-Frame-Options, etc.). Without these headers, the app - [HIGH] missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing - [MEDIUM] Gin application missing security headers middleware - [MEDIUM] Application lacks important security headers - [LOW] Dockerfile has no HEALTHCHECK instruction for container health monitoring - [LOW] Dockerfiles missing HEALTHCHECK instructions for container monitoring ## Consequences - Bypass Protection Mechanism - Execute Unauthorized Code - Gain Privileges ## Mitigations - Implement multiple layers of security (defense in depth) - Use industry-standard, tested security mechanisms rather than custom implementations - Ensure protection mechanisms cannot be bypassed or disabled ## Detection - Total rules: 8 - Languages: dockerfile, go, javascript, typescript ## Rules by Language ### Go (6 rules) - **Chi Missing Security Headers** [MEDIUM]: Chi application missing security HTTP headers middleware. - Remediation: Add security headers via middleware. ```go r := chi.NewRouter() r.Use(func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("X-Frame-Options", "DENY") w.Header().Set("X-Content-Type-Options", "nosniff") next.ServeHTTP(w, r) }) }) ``` Learn more: https://shoulder.dev/learn/go/cwe-693/helmet-headers - **Echo Missing Security Headers** [MEDIUM]: Echo application missing security HTTP headers middleware. - Remediation: Add Secure middleware to set security headers. ```go e := echo.New() e.Use(middleware.Secure()) ``` Learn more: https://shoulder.dev/learn/go/cwe-693/helmet-headers - **Fiber Missing Security Headers** [MEDIUM]: Fiber application missing security HTTP headers middleware. - Remediation: Add Helmet middleware to set security headers. ```go import "github.com/gofiber/fiber/v2/middleware/helmet" app := fiber.New() app.Use(helmet.New()) ``` Learn more: https://shoulder.dev/learn/go/cwe-693/helmet-headers - **Gin Missing Security Headers** [MEDIUM]: Gin application missing security HTTP headers middleware. - Remediation: Add security headers middleware using gin-secure. ```go import "github.com/gin-contrib/secure" r := gin.Default() r.Use(secure.New(secure.DefaultConfig())) r.Run(":8080") ``` Learn more: https://shoulder.dev/learn/go/cwe-693/helmet-headers - **Gorilla Missing Security Headers** [MEDIUM]: Gorilla Mux application missing security HTTP headers middleware. - Remediation: Add security headers via middleware. ```go r := mux.NewRouter() r.Use(func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("X-Frame-Options", "DENY") w.Header().Set("X-Content-Type-Options", "nosniff") next.ServeHTTP(w, r) }) }) ``` Learn more: https://shoulder.dev/learn/go/cwe-693/helmet-headers - **Missing HTTP Security Headers** [MEDIUM]: HTTP responses lack security headers like X-Frame-Options or Content-Security-Policy. - Remediation: Add security headers in middleware applied to all routes. ```go func securityHeaders(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("X-Frame-Options", "DENY") w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("Content-Security-Policy", "default-src 'self'") next.ServeHTTP(w, r) }) } ``` Learn more: https://shoulder.dev/learn/go/cwe-693/missing-security-headers ### Dockerfile (1 rules) - **Missing Healthcheck Configuration** [LOW]: Detects Dockerfiles missing HEALTHCHECK instructions for container monitoring. - Remediation: Add a HEALTHCHECK instruction to monitor container health. ```dockerfile HEALTHCHECK --interval=30s --timeout=10s --retries=3 \ CMD curl -f http://localhost:8080/health || exit 1 ``` Learn more: https://shoulder.dev/learn/docker/cwe-693/missing-healthcheck ### Javascript (1 rules) - **Security Headers in Express.js** [HIGH]: Detects missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing. - Remediation: Install and configure helmet middleware: 1. Install: npm install helmet 2. Import: const helmet = require('helmet'); 3. Enable: app.use(helmet()); Example: const express = require('express'); const helmet = require('helmet'); const app = express(); app.use(helmet()); ### Typescript (1 rules) - **Security Headers in Express.js** [HIGH]: Detects missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing. - Remediation: Install and configure helmet middleware: 1. Install: npm install helmet 2. Import: const helmet = require('helmet'); 3. Enable: app.use(helmet()); Example: const express = require('express'); const helmet = require('helmet'); const app = express(); app.use(helmet());