-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathobservatory-vuln.json
105 lines (105 loc) · 6.02 KB
/
observatory-vuln.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
{
"status": 0,
"data": {
"grade": "F",
"response_headers": {
"Date": "Fri, 03 Feb 2023 17:28:48 GMT",
"Server": "Apache/2.2.22 (Debian)",
"Last-Modified": "Tue, 04 Aug 2015 21:33:52 GMT",
"ETag": "\"320395-24f-51c830adb7000\"",
"Accept-Ranges": "bytes",
"Vary": "Accept-Encoding",
"Content-Encoding": "gzip",
"Content-Length": "366",
"Keep-Alive": "timeout=5, max=100",
"Connection": "Keep-Alive",
"Content-Type": "text/html"
},
"tests": {
"content-security-policy": {
"expectation": "csp-implemented-with-no-unsafe",
"result": "csp-not-implemented",
"description": "Content Security Policy (CSP) header not implemented",
"link": "https://infosec.mozilla.org/guidelines/web_security#content-security-policy",
"hint": "Content Security Policy (CSP) can prevent a wide range of cross-site scripting (XSS) and clickjacking attacks against your website."
},
"cookies": {
"expectation": "cookies-secure-with-httponly-sessions",
"result": "cookies-not-found",
"description": "No cookies detected",
"link": "https://infosec.mozilla.org/guidelines/web_security#cookies",
"hint": "Using cookies attributes such as Secure and HttpOnly can protect users from having their personal information stolen."
},
"contribute": {
"expectation": "contribute-json-only-required-on-mozilla-properties",
"result": "contribute-json-only-required-on-mozilla-properties",
"description": "Contribute.json isn't required on websites that don't belong to Mozilla",
"link": "",
"hint": ""
},
"cross-origin-resource-sharing": {
"expectation": "cross-origin-resource-sharing-not-implemented",
"result": "cross-origin-resource-sharing-not-implemented",
"description": "Content is not visible via cross-origin resource sharing (CORS) files or headers",
"link": "https://infosec.mozilla.org/guidelines/web_security#cross-origin-resource-sharing",
"hint": "Incorrectly configured CORS settings can allow foreign sites to read your site's contents, possibly allowing them access to private user information."
},
"public-key-pinning": {
"expectation": "hpkp-not-implemented",
"result": "hpkp-invalid-cert",
"description": "HTTP Public Key Pinning (HPKP) header cannot be set, as site contains an invalid certificate chain",
"link": "https://infosec.mozilla.org/guidelines/web_security#http-public-key-pinning",
"hint": "HTTP Public Key Pinning (HPKP) binds a site to a specific combination of certificate authorities and/or keys, protecting against the unauthorized issuance of certificates."
},
"redirection": {
"expectation": "redirection-to-https",
"result": "redirection-not-needed-no-http",
"description": "Not able to connect via HTTP, so no redirection necessary",
"link": "https://infosec.mozilla.org/guidelines/web_security#http-redirections",
"hint": "Properly configured redirections from HTTP to HTTPS allow browsers to correctly apply HTTP Strict Transport Security (HSTS) settings."
},
"referrer-policy": {
"expectation": "referrer-policy-private",
"result": "referrer-policy-not-implemented",
"description": "Referrer-Policy header not implemented",
"link": "https://infosec.mozilla.org/guidelines/web_security#referrer-policy",
"hint": ""
},
"strict-transport-security": {
"expectation": "hsts-implemented-max-age-at-least-six-months",
"result": "hsts-invalid-cert",
"description": "HTTP Strict Transport Security (HSTS) header cannot be set, as site contains an invalid certificate chain",
"link": "https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security",
"hint": "HTTP Strict Transport Security (HSTS) instructs web browsers to visit your site only over HTTPS."
},
"subresource-integrity": {
"expectation": "sri-implemented-and-external-scripts-loaded-securely",
"result": "sri-not-implemented-but-no-scripts-loaded",
"description": "Subresource Integrity (SRI) is not needed since site contains no script tags",
"link": "https://infosec.mozilla.org/guidelines/web_security#subresource-Integrity",
"hint": "Subresource Integrity protects against JavaScript files and stylesheets stored on content delivery networks (CDNs) from being maliciously modified."
},
"x-content-type-options": {
"expectation": "x-content-type-options-nosniff",
"result": "x-content-type-options-not-implemented",
"description": "X-Content-Type-Options header not implemented",
"link": "https://infosec.mozilla.org/guidelines/web_security#x-content-type-options",
"hint": "X-Content-Type-Options instructs browsers to not guess the MIME types of files that the web server is delivering."
},
"x-frame-options": {
"expectation": "x-frame-options-sameorigin-or-deny",
"result": "x-frame-options-not-implemented",
"description": "X-Frame-Options (XFO) header not implemented",
"link": "https://infosec.mozilla.org/guidelines/web_security#x-frame-options",
"hint": "X-Frame-Options controls whether your site can be framed, protecting against clickjacking attacks. It has been superseded by Content Security Policy's <code>frame-ancestors</code> directive, but should still be used for now."
},
"x-xss-protection": {
"expectation": "x-xss-protection-1-mode-block",
"result": "x-xss-protection-not-implemented",
"description": "X-XSS-Protection header not implemented",
"link": "https://infosec.mozilla.org/guidelines/web_security#x-xss-protection",
"hint": "X-XSS-Protection protects against reflected cross-site scripting (XSS) attacks in IE and Chrome, but has been superseded by Content Security Policy. It can still be used to protect users of older web browsers."
}
}
}
}