-
Notifications
You must be signed in to change notification settings - Fork 34
Feature/break missing resp headers test #232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
ankush-jain-akto
wants to merge
6
commits into
standard
Choose a base branch
from
feature/break_missing_resp_headers_test
base: standard
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
9eda013
Add check for missing caching and privacy control headers
ankush-jain-akto fd77b8e
Add rule for missing Transport Security headers
ankush-jain-akto 78f9f68
Add CORS response headers validation rule
ankush-jain-akto 9ede41a
Add Content Security Headers requirement
ankush-jain-akto 277ec94
Add privacy feature headers requirement to YAML
ankush-jain-akto 817742c
Add inactive flag to MustContainResponseHeaders.yaml
ankush-jain-akto File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| id: MUST_CONTAIN_CORS_RESPONSE_HEADERS | ||
| info: | ||
| name: Missing CORS Response Headers | ||
| description: "The response does not contain some CORS security headers." | ||
| details: > | ||
| "These headers control how and when resources can be accessed from other origins. They isolate your pages from other sites unless cross-origin access is explicitly allowed. This creates a secure context required for certain browser features." | ||
| impact: "Stops cross-origin data leaks and side-channel attacks." | ||
| category: | ||
| name: MHH | ||
| shortName: Misconfigured HTTP Headers | ||
| displayName: Misconfigured HTTP Headers (MHH) | ||
| subCategory: MUST_CONTAIN_RESPONSE_HEADERS | ||
| severity: LOW | ||
| tags: | ||
| - Business logic | ||
| - OWASP top 10 | ||
| - HackerOne top 10 | ||
| references: | ||
| - "https://web.dev/security-headers/" | ||
| - "https://www.keycdn.com/blog/http-security-headers" | ||
| - "https://www.invicti.com/white-papers/whitepaper-http-security-headers" | ||
| cwe: | ||
| - CWE-693 | ||
| cve: | ||
| - CVE-2022-41915 | ||
| - CVE-2022-37436 | ||
|
|
||
| attributes: | ||
| nature: INTRUSIVE | ||
| plan: STANDARD | ||
| duration: FAST | ||
|
|
||
|
|
||
| api_selection_filters: | ||
| response_code: | ||
| gte: 200 | ||
| lt: 300 | ||
| method: | ||
| neq: "OPTIONS" | ||
| execute: | ||
| type: single | ||
| requests: | ||
| - req: [] | ||
|
|
||
| validate: | ||
| response_code: | ||
| gte: 200 | ||
| lt: 300 | ||
| response_headers: | ||
| for_one: | ||
| key: | ||
| not_contains: | ||
| - Cross-Origin-Embedder-Policy | ||
| - Cross-Origin-Opener-Policy | ||
| - Cross-Origin-Resource-Policy | ||
| strategy: | ||
| run_once: / | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| id: MUST_CONTAIN_RESPONSE_HEADERS_CACHING | ||
| info: | ||
| name: Missing Caching & Privacy Control Response Headers | ||
| description: "The response does not contain some Caching & Privacy Control headers." | ||
| details: > | ||
| "The endpoint seems to be missing some HTTP security headers which provide yet another layer of security by helping to mitigate attacks and security vulnerabilities.<br>" | ||
| "<b>Background:</b> Whenever a browser requests a page from a web server, the server responds with the content along with Caching & Privacy Control response headers. Some of these headers contain content meta data such as the Content-Encoding, Cache-Control, status codes, etc. Along with these are also HTTP security headers that tell your browser how to behave when handling your website's content. For example, by using the Strict-Transport-Security you can force the browser to communicate solely over HTTPS." | ||
| impact: "This information can be used to facilitate more sophisticated attacks on your application." | ||
| category: | ||
| name: MHH | ||
| shortName: Misconfigured HTTP Headers | ||
| displayName: Misconfigured HTTP Headers (MHH) | ||
| subCategory: MUST_CONTAIN_RESPONSE_HEADERS | ||
| severity: LOW | ||
| tags: | ||
| - Business logic | ||
| - OWASP top 10 | ||
| - HackerOne top 10 | ||
| references: | ||
| - "https://web.dev/security-headers/" | ||
| - "https://www.keycdn.com/blog/http-security-headers" | ||
| - "https://www.invicti.com/white-papers/whitepaper-http-security-headers" | ||
| cwe: | ||
| - CWE-693 | ||
| cve: | ||
| - CVE-2022-41915 | ||
| - CVE-2022-37436 | ||
|
|
||
| attributes: | ||
| nature: INTRUSIVE | ||
| plan: STANDARD | ||
| duration: FAST | ||
|
|
||
|
|
||
| api_selection_filters: | ||
| response_code: | ||
| gte: 200 | ||
| lt: 300 | ||
| method: | ||
| neq: "OPTIONS" | ||
| execute: | ||
| type: single | ||
| requests: | ||
| - req: [] | ||
|
|
||
| validate: | ||
| response_code: | ||
| gte: 200 | ||
| lt: 300 | ||
| response_headers: | ||
| for_one: | ||
| key: | ||
| not_contains: | ||
| - Cache-Control | ||
| - Clear-Site-Data | ||
| - Pragma | ||
| strategy: | ||
| run_once: / |
58 changes: 58 additions & 0 deletions
58
Misconfigured-HTTP-Headers/MustContainContentSecurityHeaders.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,58 @@ | ||||||
| id: MUST_CONTAIN_CONTENT_SEC_RESPONSE_HEADERS | ||||||
| info: | ||||||
| name: Missing Content & Framing Security Response Headers | ||||||
| description: "The response does not contain some Content & Framing Security security headers." | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There is a redundant word 'security' in the description. It should read 'some Content & Framing Security headers' instead of 'some Content & Framing Security security headers'.
Suggested change
Copilot uses AI. Check for mistakes. Positive FeedbackNegative Feedback |
||||||
| details: > | ||||||
| "These headers prevent untrusted scripts, styles, or content from executing in your pages. They stop MIME type sniffing and block your pages from being embedded in iframes. This helps reduce attack vectors like XSS and clickjacking." | ||||||
| impact: "Blocks XSS, clickjacking, and content injection attacks." | ||||||
| category: | ||||||
| name: MHH | ||||||
| shortName: Misconfigured HTTP Headers | ||||||
| displayName: Misconfigured HTTP Headers (MHH) | ||||||
| subCategory: MUST_CONTAIN_RESPONSE_HEADERS | ||||||
| severity: LOW | ||||||
| tags: | ||||||
| - Business logic | ||||||
| - OWASP top 10 | ||||||
| - HackerOne top 10 | ||||||
| references: | ||||||
| - "https://web.dev/security-headers/" | ||||||
| - "https://www.keycdn.com/blog/http-security-headers" | ||||||
| - "https://www.invicti.com/white-papers/whitepaper-http-security-headers" | ||||||
| cwe: | ||||||
| - CWE-693 | ||||||
| cve: | ||||||
| - CVE-2022-41915 | ||||||
| - CVE-2022-37436 | ||||||
|
|
||||||
| attributes: | ||||||
| nature: INTRUSIVE | ||||||
| plan: STANDARD | ||||||
| duration: FAST | ||||||
|
|
||||||
|
|
||||||
| api_selection_filters: | ||||||
| response_code: | ||||||
| gte: 200 | ||||||
| lt: 300 | ||||||
| method: | ||||||
| neq: "OPTIONS" | ||||||
| execute: | ||||||
| type: single | ||||||
| requests: | ||||||
| - req: [] | ||||||
|
|
||||||
| validate: | ||||||
| response_code: | ||||||
| gte: 200 | ||||||
| lt: 300 | ||||||
| response_headers: | ||||||
| for_one: | ||||||
| key: | ||||||
| not_contains: | ||||||
| - Content-Security-Policy | ||||||
| - X-Content-Type-Options | ||||||
| - X-Frame-Options | ||||||
| - X-Permitted-Cross-Domain-Policies | ||||||
| strategy: | ||||||
| run_once: / | ||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,55 @@ | ||||||
| id: MUST_CONTAIN_TRANSPORT_SEC_RESPONSE_HEADERS | ||||||
| info: | ||||||
| name: Missing Transport Security Response Headers | ||||||
| description: "The response does not contain Transport Security headers." | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The description should be consistent with other files. It should read 'some Transport Security headers' to match the pattern used in other files where only partial header presence is checked.
Suggested change
Copilot uses AI. Check for mistakes. Positive FeedbackNegative Feedback |
||||||
| details: > | ||||||
| "This category enforces the use of secure HTTPS connections between the client and server. It ensures that once a user connects securely, all future requests remain encrypted. This protects against downgrade attacks and interception of unencrypted traffic." | ||||||
| impact: "Blocks man-in-the-middle attacks over insecure channels." | ||||||
| category: | ||||||
| name: MHH | ||||||
| shortName: Misconfigured HTTP Headers | ||||||
| displayName: Misconfigured HTTP Headers (MHH) | ||||||
| subCategory: MUST_CONTAIN_RESPONSE_HEADERS | ||||||
| severity: LOW | ||||||
| tags: | ||||||
| - Business logic | ||||||
| - OWASP top 10 | ||||||
| - HackerOne top 10 | ||||||
| references: | ||||||
| - "https://web.dev/security-headers/" | ||||||
| - "https://www.keycdn.com/blog/http-security-headers" | ||||||
| - "https://www.invicti.com/white-papers/whitepaper-http-security-headers" | ||||||
| cwe: | ||||||
| - CWE-693 | ||||||
| cve: | ||||||
| - CVE-2022-41915 | ||||||
| - CVE-2022-37436 | ||||||
|
|
||||||
| attributes: | ||||||
| nature: INTRUSIVE | ||||||
| plan: STANDARD | ||||||
| duration: FAST | ||||||
|
|
||||||
|
|
||||||
| api_selection_filters: | ||||||
| response_code: | ||||||
| gte: 200 | ||||||
| lt: 300 | ||||||
| method: | ||||||
| neq: "OPTIONS" | ||||||
| execute: | ||||||
| type: single | ||||||
| requests: | ||||||
| - req: [] | ||||||
|
|
||||||
| validate: | ||||||
| response_code: | ||||||
| gte: 200 | ||||||
| lt: 300 | ||||||
| response_headers: | ||||||
| for_one: | ||||||
| key: | ||||||
| not_contains: | ||||||
| - Strict-Transport-Security | ||||||
| strategy: | ||||||
| run_once: / | ||||||
56 changes: 56 additions & 0 deletions
56
Misconfigured-HTTP-Headers/MustContainPrivacyFeatureHeaders.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,56 @@ | ||||||
| id: MUST_CONTAIN_PRIVACY_RESPONSE_HEADERS | ||||||
| info: | ||||||
| name: Missing Privacy & Feature Restriction Response Headers | ||||||
| description: "The response does not contain Privacy & Feature Restriction security headers." | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The description contains a grammatical error. It should read 'some Privacy & Feature Restriction security headers' to match the pattern used in other files where only partial header presence is checked.
Suggested change
Copilot uses AI. Check for mistakes. Positive FeedbackNegative Feedback |
||||||
| details: > | ||||||
| "These headers limit what referrer information is shared when navigating to other sites. They also restrict access to powerful browser APIs like camera, microphone, and geolocation. This reduces the exposure of sensitive user data." | ||||||
| impact: "Minimizes data leaks and reduces browser attack surface." | ||||||
| category: | ||||||
| name: MHH | ||||||
| shortName: Misconfigured HTTP Headers | ||||||
| displayName: Misconfigured HTTP Headers (MHH) | ||||||
| subCategory: MUST_CONTAIN_RESPONSE_HEADERS | ||||||
| severity: LOW | ||||||
| tags: | ||||||
| - Business logic | ||||||
| - OWASP top 10 | ||||||
| - HackerOne top 10 | ||||||
| references: | ||||||
| - "https://web.dev/security-headers/" | ||||||
| - "https://www.keycdn.com/blog/http-security-headers" | ||||||
| - "https://www.invicti.com/white-papers/whitepaper-http-security-headers" | ||||||
| cwe: | ||||||
| - CWE-693 | ||||||
| cve: | ||||||
| - CVE-2022-41915 | ||||||
| - CVE-2022-37436 | ||||||
|
|
||||||
| attributes: | ||||||
| nature: INTRUSIVE | ||||||
| plan: STANDARD | ||||||
| duration: FAST | ||||||
|
|
||||||
|
|
||||||
| api_selection_filters: | ||||||
| response_code: | ||||||
| gte: 200 | ||||||
| lt: 300 | ||||||
| method: | ||||||
| neq: "OPTIONS" | ||||||
| execute: | ||||||
| type: single | ||||||
| requests: | ||||||
| - req: [] | ||||||
|
|
||||||
| validate: | ||||||
| response_code: | ||||||
| gte: 200 | ||||||
| lt: 300 | ||||||
| response_headers: | ||||||
| for_one: | ||||||
| key: | ||||||
| not_contains: | ||||||
| - Permissions-Policy | ||||||
| - Referrer-Policy | ||||||
| strategy: | ||||||
| run_once: / | ||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The description contains a redundant word 'security'. It should read 'some CORS headers' instead of 'some CORS security headers' to be consistent with the pattern.
Copilot uses AI. Check for mistakes.