Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan op security headers (CSP, Frame-options, XSS-prot etc.) #79

Closed
halderen opened this issue Oct 21, 2015 · 9 comments
Closed

Scan op security headers (CSP, Frame-options, XSS-prot etc.) #79

halderen opened this issue Oct 21, 2015 · 9 comments
Assignees
@baknu
Labels
content done content enhancement
Milestone
v1.0

Comments

@halderen
Copy link

No description provided.

@halderen halderen added this to the icebox milestone Dec 7, 2015
@halderen
Copy link
Author

Decided by steeringcmte on 2017-01-19 to keep issue in icebox. Some items might be proper security related, but for others they might be outside of the scope of the InternetNL testing alltogether. Issue #180, actually would target most of the concerns of this issue.

@baknu baknu mentioned this issue Jun 4, 2017
Closed
@baknu
Copy link
Contributor

baknu commented Sep 5, 2017

See discussion per mail between SC members on 5th september 2017.

@baknu
Copy link
Contributor

baknu commented Jan 19, 2018

See below an overview of relevant HTTP security headers:

@gthess gthess modified the milestones: icebox, v6 Feb 22, 2018
@baknu
Copy link
Contributor

baknu commented Mar 16, 2018
edited
Loading

Also see: https://infosec.mozilla.org/guidelines/web_security
We should check and discuss whether there are more headers to test than the above mentioned. Mozilla also tests Cross-origin Resource Sharing (CORS), Subresource Integrity en Cookies. The latter two do not seem to be headers.

@baknu baknu modified the milestones: v6, v5 Mar 16, 2018
@baknu baknu added enhancement and removed notnow labels Mar 16, 2018
@baknu
Copy link
Contributor

baknu commented Mar 20, 2018

HSTS, CSP and X-Frame-Options are recommened by NCSC in 'ICT-beveiligingsrichtlijnen voor Webapplicaties' anyway.

@gthess gthess added the done label May 18, 2018
@gthess
Copy link
Collaborator

gthess commented May 18, 2018

Live on dev.

New labels:

  • detail web tls http-*
  • results domain tls http-headers label

@gthess gthess added the content label May 18, 2018
@baknu
Copy link
Contributor

baknu commented Jul 6, 2018

Add new category in correspondance with mockup option 3.

@baknu baknu modified the milestones: v6, v7 Jul 6, 2018
@baknu baknu modified the milestones: v7, v6.5 Jul 17, 2018
@gthess gthess mentioned this issue Sep 21, 2018
Closed
@gthess
Copy link
Collaborator

gthess commented Oct 9, 2018
edited
Loading

Live on dev.

New category for the security headers test is created for the website test (Application security & privacy options).

Relevant text labels are:

  • base test website explain
  • detail web appsecpriv *
  • faqs content
  • faqs appsecpriv content
  • faqs appsecpriv title
  • results further-testing web content
  • test siteappsecpriv *

@gthess gthess assigned baknu and unassigned gthess Oct 9, 2018
@gthess
Copy link
Collaborator

gthess commented Oct 15, 2018
edited
Loading

Current checks for the new headers:

  • CSP
    • Header is present
  • X-Frame-Options
    • Value is one of (deny, sameorigin, allow-from)
  • X-Content-Type-Options
    • Value is nosniff
  • X-Xss-Protection
    • Should be at least enabled (1)
  • Referrer-Policy
    • Value is valid; one of (no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, sameorigin, strict-origin, strict-origin-when-cross-origin, unsafe-url)

@gthess gthess closed this as completed Mar 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@baknu baknu

Labels
content done content enhancement
Milestone
v1.0
Development

No branches or pull requests
3 participants
@halderen @baknu @gthess