From 7ea1e9a9640748aed48045c8e7f40ef81bc1ae55 Mon Sep 17 00:00:00 2001
From: Jonathan Hodgson <git@jonathanh.co.uk>
Date: Wed, 9 Dec 2020 16:07:38 +0000
Subject: [PATCH] BIN: analyse-headers: Fix incorrect reporting of SSL issues

It turns out the SSL flags secure and httponly are not case sensitive.

https://tools.ietf.org/html/rfc6265#section-5.2.5

I cannot find any documentation about the SameSite=Strict so I will
leave it case sensitive for now. The spec for that section is here:

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2

Thanks <Dom Ingram> for flagging this
---
 bin/.bin/webtest/analyse-headers | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/.bin/webtest/analyse-headers b/bin/.bin/webtest/analyse-headers
index 615de21e..b4c0c2c2 100755
--- a/bin/.bin/webtest/analyse-headers
+++ b/bin/.bin/webtest/analyse-headers
@@ -241,14 +241,14 @@ test_set-cookie(){
 
 	if ! echo "$value" | grep -q "HttpOnly"; then
 		echo "$value"
-		echo "$value" | grep -q "HttpOnly" --color always
+		echo "$value" | grep -qi "HttpOnly" --color always
 		output+="The HttpOnly flag isn't set which means the cookie value can \
 be read by JavaScript. If a malicious actor manages to run JavaScript through \
 methods like XSS, they may be able to steal the contents of cookies\n\n"
 		ret=$((ret>1 ? ret : 1))
 	fi
 
-	if ! echo "$value" | grep -q "Secure"; then
+	if ! echo "$value" | grep -qi "Secure"; then
 		output+="The Secure flag isn't set which means the cookie could be \
 sent over unencrypted channels\n\n"
 		ret=$((ret>1 ? ret : 1))