Verified Commit 4e401a6a authored by Elger Jonker's avatar Elger Jonker

Fix #125 take in account CSP header, but don't mandate it

parent 8a33556c
......@@ -107,6 +107,8 @@ def security_headers_rating_based_on_scan(scan, header='Strict-Transport-Securit
'Referrer-Policy':
Classified as: Ignored
todo: should be enabled(?)
todo: we're going to need to split this up per header, there are too many code paths forming.
"""
high, medium, low = 0, 0, 0
......@@ -114,7 +116,9 @@ def security_headers_rating_based_on_scan(scan, header='Strict-Transport-Securit
# We add what is done well, so it's more obvious it's checked.
if scan.rating == "True":
explanation = header + " header present."
elif scan.rating == "Using CSP":
explanation = "Content-Security-Policy header found, which covers the security aspect of the %s header." \
% header
else:
explanation = "Missing " + header + " header."
......
......@@ -87,11 +87,26 @@ def analyze_headers(result: requests.Response, endpoint):
egss.domain = endpoint.uri_url()
egss.save()
"""
#125: CSP can replace X-XSS-Protection and X-Frame-Options. Thus if a (more modern) CSP header is present, assume
that decisions have been made about what's in it and ignore the previously mentioned headers.
We don't mandate CSP yet because it's utterly complex and therefore comes with an extremely low adoption ratio.
https://stackoverflow.com/questions/43039706/replacing-x-frame-options-with-csp
X-Frame-Options: SAMEORIGIN ➡ Content-Security-Policy: frame-ancestors 'self'
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
X-XSS-Protection -> ('unsafe-inline')
X-Content-Type-Options is not affected.
"""
if config.SCAN_HTTP_HEADERS_X_XSS:
generic_check(endpoint, response.headers, 'X-XSS-Protection')
generic_check_using_csp_fallback(endpoint, response.headers, 'X-XSS-Protection')
if config.SCAN_HTTP_HEADERS_XFO:
generic_check(endpoint, response.headers, 'X-Frame-Options')
generic_check_using_csp_fallback(endpoint, response.headers, 'X-Frame-Options')
if config.SCAN_HTTP_HEADERS_X_CONTENT:
generic_check(endpoint, response.headers, 'X-Content-Type-Options')
......@@ -160,6 +175,27 @@ def generic_check(endpoint: Endpoint, headers, header):
"Security Header not present: %s" % header)
def generic_check_using_csp_fallback(endpoint: Endpoint, headers, header):
# this is case insensitive
if header in headers.keys():
log.debug('Has %s' % header)
EndpointScanManager.add_scan(header, endpoint, 'True', headers[header])
else:
# CSP fallback:
if "Content-Security-Policy" in headers.keys():
EndpointScanManager.add_scan(
header, endpoint, 'Using CSP',
"Content-Security-Policy header found, which can handle the security from %s. Value: %s." %
(header, headers["Content-Security-Policy"]))
else:
log.debug('Has no %s' % header)
EndpointScanManager.add_scan(
header, endpoint, 'False',
"Security Header not present: %s, alternative header Content-Security-Policy not present." % header)
def error_response_400_500(endpoint):
# Set all headers for this endpoint to 400_500, which are not shown in the report.
# These are not shown in the report anymore. Not using this
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment