How to remediate – Fetch/XHR Detected

Contents

1. Introduction

The scan detected that your web application makes requests using Fetch or XMLHTTPRequests (XHRs) to communicate with a backend API server. These requests allow data retrieval from an API without reloading the page, common in Single Page Applications. This isn’t a vulnerability *in itself*, but indicates systems communicating over network APIs which may be exposed to attack if not secured correctly. Impact on confidentiality, integrity and availability depends on how these APIs are protected.

2. Technical Explanation

Fetch/XHR requests are standard web technologies for asynchronous communication with servers. An attacker could intercept or manipulate these requests if they aren’t properly secured (e.g., using HTTPS, input validation, and authentication). The precondition is a vulnerable API endpoint accessible from the client-side code. For example, an attacker might modify a request to access data they shouldn’t be able to see.

Root cause: Use of Fetch/XHR without appropriate security measures.
Exploit mechanism: An attacker could intercept network traffic and modify requests or responses. They may also attempt cross-site scripting (XSS) attacks if the API doesn’t properly sanitize data.
Scope: Web applications using JavaScript to communicate with APIs.

3. Detection and Assessment

Confirming Fetch/XHR usage involves checking network traffic or reviewing client-side code. A quick check is to inspect browser developer tools.

Quick checks: Open your browser’s developer tools (usually F12) and navigate to the “Network” tab while using the application. Look for requests with types like “Fetch/XHR”.
Scanning: Static code analysis tools can identify Fetch/XHR calls in JavaScript files.
Logs and evidence: Web server logs may show API request patterns corresponding to XHR activity.

// Example command placeholder:
// No specific command available for this detection, use browser dev tools.

4. Solution / Remediation Steps

Securing Fetch/XHR requests involves implementing standard web security practices.

4.1 Preparation

Dependencies: Ensure you have access to modify client-side code and configure the API server. Roll back plan: Revert any code changes made during implementation.

4.2 Implementation

Step 1: Ensure all API communication uses HTTPS.
Step 2: Implement proper input validation on the server-side to prevent injection attacks.
Step 3: Use appropriate authentication and authorization mechanisms for API access.

4.3 Config or Code Example

Before

fetch('http://example.com/api/data') // Insecure HTTP request
  .then(response => response.json());

After

fetch('https://example.com/api/data', { mode: 'cors' }) // Secure HTTPS request with CORS enabled
  .then(response => response.json());

4.4 Security Practices Relevant to This Vulnerability

Several security practices directly address the risks associated with Fetch/XHR requests.

Least privilege: Grant API access only to authorized users and services.
Secure defaults: Configure APIs with secure settings by default, such as HTTPS enabled and CORS properly configured.

4.5 Automation (Optional)

No specific automation script is provided for this vulnerability type.

5. Verification / Validation

Confirm the fix by verifying that all API communication uses HTTPS and that input validation is working correctly.

Post-fix check: Open your browser’s developer tools and confirm that all requests to the API use HTTPS.
Re-test: Repeat the initial detection steps (inspecting network traffic) to ensure no insecure HTTP requests are present.
Smoke test: Verify that key application features relying on the API continue to function as expected.
Monitoring: Monitor web server logs for any suspicious activity or errors related to API access.

// Post-fix command and expected output
// No specific command available, use browser dev tools to verify HTTPS.

6. Preventive Measures and Monitoring

Update security baselines and implement checks in CI/CD pipelines.

Baselines: Update your web application security baseline to require HTTPS for all API communication.
Pipelines: Add static code analysis tools to your CI/CD pipeline to identify insecure HTTP requests or missing input validation.
Asset and patch process: Regularly review and update the security configuration of your web servers and APIs.

7. Risks, Side Effects, and Roll Back

Changing API communication protocols may cause compatibility issues.

Risk or side effect 1: Compatibility issues with older clients that do not support HTTPS. Mitigation: Provide a fallback mechanism for older clients if necessary.
Roll back: Revert any code changes made during implementation to restore the previous functionality.

8. References and Resources

Vendor advisory or bulletin: N/A – this is a general security practice, not a specific vendor vulnerability.
NVD or CVE entry: N/A – this is a general security practice, not a specific CVE.
Product or platform documentation relevant to the fix: https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest

Updated on December 27, 2025

Was this article helpful?

Yes No