Express Directory Listing Disable
A security-focused codemod that transforms Express.js static middleware configurations to explicitly disable directory listing, preventing potential information disclosure vulnerabilities.
Security Issue
Express.js applications with directory listing enabled expose sensitive file structure information, creating security vulnerabilities (CWE-548: Information Exposure Through Directory Listing). When express.static() is used without proper configuration, it may allow attackers to browse directory contents and discover sensitive files, configuration details, or application structure.
What it does
This codemod automatically adds security options to express.static() calls:
- dotfiles: 'deny' - Prevents access to hidden files starting with dots
- index: false - Disables automatic serving of index files and directory listing
Transformations
Basic static middleware
Before:
javascript
After:
javascript
Static middleware with mount path
Before:
javascript
After:
javascript
Complex path expressions
Before:
javascript
After:
javascript
Merging with existing options
Before:
javascript
After:
javascript
What it skips
- Files that already have both dotfiles: 'deny' and index: false configured
- Files without Express imports/requires
- Files with // Security bypass for development comment
- Non-Express static calls (e.g., someOtherObject.static())
Installation & Usage
bash
Supported Languages
- JavaScript (.js)
- TypeScript (.ts)
- JSX (.jsx)
- TSX (.tsx)
Supports both ES6 imports and CommonJS requires:
javascript
Development
bash
Security References
- CWE-548: Information Exposure Through Directory Listing
- Express.js Security Best Practices
- Express Static Middleware Documentation
License
MIT