Source Code Disclosure (Node.js)
Description
The Node.js application source code files are directly accessible through web requests due to server misconfiguration. Instead of executing server-side JavaScript files, the web server is serving them as static content, allowing anyone to download and read the application's source code. This typically occurs when the web server is not properly configured to handle Node.js files or when source files are placed in publicly accessible directories.
Remediation
Take immediate action to prevent source code disclosure:
1. Verify Server Configuration: Ensure your web server (Nginx, Apache, IIS) is configured to proxy requests to the Node.js application rather than serving .js files directly. Node.js applications should run as separate processes behind a reverse proxy.
2. Restrict File Access: Configure your web server to deny direct access to application source files. For Nginx, add:
location ~ \.(js|json|env)$ {
deny all;
return 404;
}For Apache, use:
<FilesMatch "\.(js|json|env)$">
Require all denied
</FilesMatch>3. Separate Source and Public Directories: Keep application source code outside the web server's document root. Only static assets (CSS, images, client-side JavaScript) should be in public directories.
4. Review Deployment Process: Ensure your deployment process doesn't copy source files to publicly accessible locations. Use proper build and deployment tools that separate application code from served content.
5. Rotate Exposed Credentials: Immediately change any credentials, API keys, or secrets that may have been exposed in the source code.