Jonathan Hodgson
b8f104fd00
Makes detection of x-frame-options value case insensitive
...
In other words, sameorigin == SAMEORIGIN == saMeOriGIN
This is in line with the spec for the header:
https://tools.ietf.org/html/rfc7034
2021-01-11 12:07:07 +00:00
Jonathan Hodgson
6feffc731b
BIN: analyse-headers: improve expect-ct description
2020-12-11 15:38:28 +00:00
Jonathan Hodgson
41fd57310a
BIN: analyse-headers: Checks the access-control-allow-origin header
...
Another suggestion by <Dom Ingram>.
For more details on the null issue, read here:
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null
2020-12-11 15:26:32 +00:00
Jonathan Hodgson
984298b29b
BIN: analyse-headers: fix most shellcheck warnings
...
The only checks I haven't fixed are the unused variables for colours. I
may use them in the future so haven't removed them
2020-12-11 15:01:53 +00:00
Jonathan Hodgson
6ac052cd39
BIN: analyse-headers: note on x-frame-options if frame-ancestors present
...
If the frame-ancestors content security policy is present, the
x-frame-options warning mentions that the content security helps
mitigate against clickjacking although for greater browser support,
x-frame-options should also be used
Thanks <Dom Ingram> for the suggestion
2020-12-09 16:39:11 +00:00
Jonathan Hodgson
1b42f81f47
BIN: analyse-headers: Adds generic version disclosure function
...
if the header contains the word "version" (case insensitively) it will
flag it as potential information disclosure
Thanks <Dom Ingram> for the suggestion
2020-12-09 16:26:47 +00:00
Jonathan Hodgson
e247c85bc9
BIN: analyse-headers: read from stdin if first arg is -
...
This makes testing much easier
2020-12-09 16:24:59 +00:00
Jonathan Hodgson
cad2f2d2d5
BIN: analyse-headers: Add more notes to expect-ct description
...
As pointed out by <Dom Ingram>, the expect-ct is likely to become
obsolete in June 2012
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
2020-12-09 16:13:39 +00:00
Jonathan Hodgson
7ea1e9a964
BIN: analyse-headers: Fix incorrect reporting of SSL issues
...
It turns out the SSL flags secure and httponly are not case sensitive.
https://tools.ietf.org/html/rfc6265#section-5.2.5
I cannot find any documentation about the SameSite=Strict so I will
leave it case sensitive for now. The spec for that section is here:
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2
Thanks <Dom Ingram> for flagging this
2020-12-09 16:08:26 +00:00
Jonathan Hodgson
7a7ffc608d
BIN: analyse-headers: add expect-ct and start referrer-policy
2020-12-03 11:19:35 +00:00
Jonathan Hodgson
3ce547a0b2
BIN: Analyse-headers: Adds to description for cookie flag
2020-12-02 10:54:10 +00:00
Jonathan Hodgson
fb5774a584
BIN: analyse-headers: fix error "wrap command not found"
2020-12-02 09:19:47 +00:00
Jonathan Hodgson
9ef36af8f7
BIN: analyse-headers: adds feature-policy and permissions-policy checks
2020-12-02 09:11:52 +00:00
Jonathan Hodgson
61097006a4
BIN: analyse-headers: Wrap text in descriptions
...
The text in descriptions is now wrapped to 80 chars. This does not
affect the headers printed at the top which are not wrapped
2020-12-02 08:32:10 +00:00
Jonathan Hodgson
af81ccd62e
BIN: Adds SameSite check in analyse-headers script
...
The script will now warn you if the SameSite option is not set to Strict
on cookies.
2020-12-01 21:17:34 +00:00
Jonathan Hodgson
1f29c17ab5
BIN: Fix webtest script when : in cookies
...
If there was a colon in a cookie, the script would misidentify insecure
cookie configurations
2020-12-01 19:56:33 +00:00
Jonathan Hodgson
a3f75d9b32
BIN: Adds analyse-headers script
...
The script is in early stages of development but should work for some of
the most common mis-configurtaions.
2020-12-01 18:15:01 +00:00