Dotfiles

Author	SHA1	Message	Date
Jonathan Hodgson	30dd026965	BIN: analyse-headers: bug fixes A couple of bug fixes, removed some unnecesary echos and fixed crash if name is too long to fit in the heading box	4 years ago
Jonathan Hodgson	349963cdad	BIN: fix csp check in analyse-headers the csp function didn't correctly return 1 when a missconfigured csp was found	4 years ago
Jonathan Hodgson	3f01926ab6	Improve handling of CSP Although I'd like to re-do the csp handling, this change fixes the detection of unsafe-inline and unsafe-eval.	4 years ago
Jonathan Hodgson	e77aa36e70	Makes detection of x-frame-options value case insensitive In other words, sameorigin == SAMEORIGIN == saMeOriGIN This is in line with the spec for the header: https://tools.ietf.org/html/rfc7034	4 years ago
Jonathan Hodgson	909a6e5e3c	BIN: analyse-headers: improve expect-ct description	4 years ago
Jonathan Hodgson	b49d000408	BIN: analyse-headers: Checks the access-control-allow-origin header Another suggestion by <Dom Ingram>. For more details on the null issue, read here: https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null	4 years ago
Jonathan Hodgson	f669880037	BIN: analyse-headers: fix most shellcheck warnings The only checks I haven't fixed are the unused variables for colours. I may use them in the future so haven't removed them	4 years ago
Jonathan Hodgson	2e1dff91a3	BIN: analyse-headers: note on x-frame-options if frame-ancestors present If the frame-ancestors content security policy is present, the x-frame-options warning mentions that the content security helps mitigate against clickjacking although for greater browser support, x-frame-options should also be used Thanks <Dom Ingram> for the suggestion	4 years ago
Jonathan Hodgson	1fabc27b79	BIN: analyse-headers: Adds generic version disclosure function if the header contains the word "version" (case insensitively) it will flag it as potential information disclosure Thanks <Dom Ingram> for the suggestion	4 years ago
Jonathan Hodgson	27b9af6327	BIN: analyse-headers: read from stdin if first arg is - This makes testing much easier	4 years ago
Jonathan Hodgson	039f4e2270	BIN: analyse-headers: Add more notes to expect-ct description As pointed out by <Dom Ingram>, the expect-ct is likely to become obsolete in June 2012 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT	4 years ago
Jonathan Hodgson	bf132e16c2	BIN: analyse-headers: Fix incorrect reporting of SSL issues It turns out the SSL flags secure and httponly are not case sensitive. https://tools.ietf.org/html/rfc6265#section-5.2.5 I cannot find any documentation about the SameSite=Strict so I will leave it case sensitive for now. The spec for that section is here: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2 Thanks <Dom Ingram> for flagging this	4 years ago
Jonathan Hodgson	69c7355225	BIN: analyse-headers: add expect-ct and start referrer-policy	4 years ago
Jonathan Hodgson	5369861bc8	BIN: Analyse-headers: Adds to description for cookie flag	4 years ago
Jonathan Hodgson	3665bb63a2	BIN: analyse-headers: fix error "wrap command not found"	4 years ago
Jonathan Hodgson	97df97a48b	BIN: analyse-headers: adds feature-policy and permissions-policy checks	4 years ago
Jonathan Hodgson	afa3f3495a	BIN: analyse-headers: Wrap text in descriptions The text in descriptions is now wrapped to 80 chars. This does not affect the headers printed at the top which are not wrapped	4 years ago
Jonathan Hodgson	fb5d25dc6c	BIN: Adds SameSite check in analyse-headers script The script will now warn you if the SameSite option is not set to Strict on cookies.	4 years ago
Jonathan Hodgson	c384064641	BIN: Fix webtest script when : in cookies If there was a colon in a cookie, the script would misidentify insecure cookie configurations	4 years ago
Jonathan Hodgson	ab2c56d9b5	BIN: Adds analyse-headers script The script is in early stages of development but should work for some of the most common mis-configurtaions.	4 years ago

20 Commits (f9301f19595863aaa9ec1f391891ceab6ce8b513)