Code Monkey home page Code Monkey logo

www-project-secure-headers's Introduction

OWASP Secure Headers Project

OWASP Lab External Links Validity Check Update headers reference JSON files Update monitoring technical references dashboard Perform_monitoring_oshp_site_references

๐ŸŽฏ The OWASP Secure Headers Project (also named OSHP) describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.

Introduction

๐Ÿ“š HTTP headers are well known and also despised. Seeking a balance between usability and security, developers implement functionality through the headers that can make applications more versatile or secure. But in practice how are the headers being implemented? What sites follow the best implementation practices? Big companies, small, all or none?

Description

๐Ÿ“š We aim to publish reports on header usage stats, developments and changes, code libraries that make these headers easily accessible to developers on a range of platforms, and data sets concerning the general usage of these headers.

๐ŸŒ The OWASP Secure Headers Project was migrated to a new OWASP website.

๐Ÿ“ You can still access the old website here.

Logo

๐ŸŽจ The project official logo is stored into the folder logo as well as into the OWASP Swag GitHub repository.

Issue and discussions

๐Ÿ’ฌ Both are handled with this dedicated project:

Content editor

๐Ÿ‘ฉโ€๐Ÿ’ป Content editing is done with Visual Studio Code.

A workspace file is provided with recommended extensions.

Automatically generated content

๐Ÿญ The folder ci (CI for Continuous Integration) contains materials to generate the following content.

๐Ÿ“ Generate the both JSON files containing the header recommended to add and remove:

๐Ÿ“ Generate the markdown file with the update health state of all GitHub repositories mentioned in the tab named Technical:

Social media communication

๐Ÿ“ฉ This template is used to announce news on social media about OSHP update:

๐Ÿ“ก OWASP Secure Headers Project: [MESSAGE].

#appsec #appsecurity #http

[PRINT_SCREEN_IN_PNG_FORMAT_WHEN_APPLICABLE]

๐Ÿ“– [LINK_TO_OSHP_SECTION]

๐Ÿ’ก Source used:

[LINK_TO_SOURCE_USED]

Contributors

๐Ÿ’Œ Contributors to OSHP, before the migration of the project to GitHub:

๐Ÿ’Œ Visit this page for updated information about the contributors since the migration of the project to GitHub.

Licensing

๐Ÿ“‘ This project content is free to use. It is licensed under the Apache 2.0 License.

www-project-secure-headers's People

Contributors

adamaveray avatar ecki avatar floatingatoll avatar harel-e avatar hblankenship avatar jongalloway avatar juzzeth avatar kingthorin avatar northdpole avatar owaspfoundation avatar rfc-st avatar righettod avatar riramar avatar tabarra avatar thunderson avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

www-project-secure-headers's Issues

References aren't clickable and other cleanup

Can someone:

  • turn all the many references in this article to actual links (On all tabs).
  • While you are at it, can you make sure the links are still valid and remove any that are not.
  • Fix the table under Expect-CT so the 1st column isn't 1 character wide
  • Look at all the other tables and fix similar issues (e.g., the Public Key Pinning Extension for HTTP (HPKP) table's 1st column should be wider.

Make Content-Security-Policy header more secure

Currently, the Content-Security-Policy recommendation in this document is as follow:

default-src 'self' data:; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content

Though, according to Google's CSP Evaluator, the data: scheme allows the execution of unsafe scripts and can be used to craft an XSS Attack. For example, an attacker could craft the following url data:text/html,<script>alert('hi');</script>

Content-Security-Policy being very error prone, I don't know how easy it would be to come with a "general" recommendation.

A solution in mind would be to do what Google's CSP evaluator does: Removing the data: scheme and put a warning on self about JSONP and Angular library.

What do you think?

Potentially remove `Expect-CT`

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT:

The Expect-CT will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.

I'm not sure where to look for the source information, but assuming the note is correct, there will be very little reason to use this header. Consider removing?

cannot link directly to a specific header information

problem:
when linking to a specific header information like:
https://owasp.org/www-project-secure-headers/#x-permitted-cross-domain-policies
you can't see it right away because the Response Headers tab is not selected.

cause:
tab selection by url also uses a fragment and you can't have both fragments in the url:
https://owasp.org/www-project-secure-headers/#div-headers

possible solutions:

move tab selection to query string:
https://owasp.org/www-project-secure-headers/?tab=response-headers#x-permitted-cross-domain-policies

or slug:
https://owasp.org/www-project-secure-headers/response-headers/#x-permitted-cross-domain-policies

New CORS header "Access-Control-Request-Private-Network"

Hi,

Add new CORS header Access-Control-Request-Private-Networkand related information flow in the section Miscellaneous.

Sources:

๐Ÿ’ฌ March 2022 update:

image

๐Ÿ’ฌ June 2022 update:

image

@riramar You can assign it to me ๐Ÿ˜ƒ

Address points raised from project comittee regarding the graduation

Description

Point raised:

  • Considered "Documentation" but points to various tools in https://github.com/oshp. Unclear what the main aspect is meant to be.
  • Should this just be a cheat sheet (except for all those tools...)
  • Promotion request was submitted for the project website repo but not the code repo?
  • Project website has several informational tabs on HTTP headers but does not explain the tool found at https://github.com/oshp/headers at all.
  • GitHub main project had last update 9 months ago. Hard to tell if this should be considered "finished" or already on its way to "outdated".
  • Link http://oshp.bsecteam.com/ mentioned on GitHub causes uBlockOrigin warning and redirects to http://gwrtheyrn-rot.com/zcredirect?visitid=afc55dc0-a191-11ec-9d32-12b602a07ea5&type=js&browserWidth=1920&browserHeight=937&iframeDetected=false.

Additional resources

None

X-XSS-Protection Header Deprecation Security Issue

In the deprecation of X-XSS-Protection Header it states that it will being security issues to the client side without specifying details. Will it be possible to state why ?

Will there be an impact to the confidentiality and integrity data if some one still applies this header?

Notes on Feature-Policy

Just writing this down as a reminder since I don't really have time atm, or if someone want to take this on:

Additionally, probably want to track w3c/webappsec-permissions-policy#359 as the Feature-Policy HTTP header may be renamed in the future.

Expect-CT deprecated

โš ๏ธ Warning: This header will likely become obsolete in June 2021

should it be move from "Almost deprecated" to "Deprecated" ?

Idea proposal

Hi,

In order to allow dev/infra teams to monitor or check the configuration of the headers on a site, I have created a quick "test suites" based on the tools VENOM and the OSHP.

Why VENOM?

It does not need any installation, you grab a release and run the test suite wanted. To customise the test suites, you only edit the YAML file with your context so you do not need to have coding skills to adapt the suites.

It allows to generate reports in different formats like JUNIT for example that can be easily integrated in a CI/CD pipeline.

My proposal

OSHP can provide a base test suites (just a maintained YAML file) aligned with the recommendations on the site. The goal is to allow OSHP users to quickly set up verification of the application of the recommendation proposed and easily customise the test suites in case of need. As the tool provide release for different OS as a single file, the proposed test suites do not require any extra installation or dependencies.

The tests suite

Test suites as a Gist.

It is just a proposal, feel free to send it to the trash if it does not goes into the way the project want to go ๐Ÿ˜ƒ

Thanks a lot in advance ๐Ÿ˜ƒ

Integration with others OWASP projects

Description

Contact and work with the following projects to define the way to integrate with them:

Below is a possible integration based on project goals.

OSHP information can be:

  • Consumed by the ASVS during the specification of the protection to include.
  • Consumed by the Proactive Controls / Cheat Sheet Series during the implementation.
  • Validated with ZAP during app assessment or scanning by CI/CD pipeline.
  • Consumed by the ModSecurity CRS for the adding of protection at WAF level.

Relation overview:

erDiagram
    ASVS |o--|| OSHP : Consumes
    ProactiveControls |o--|| OSHP : Consumes
    CheatSheetSeries |o--|| OSHP : Consumes
    ModSecurityCRS |o--|| OSHP : Consumes
    ZAP |o--|| OSHP : Consumes

Additional resources

Statistic data about header usages.

Description

Perform public to scan websites and view stats regarding these headers. Automated scanning of the top 1m sites on the web; filtering of said sites to view stats across industries and countries; published database dumps for public consumption/tools; scanning of individual sites; comparing multiple scanned sites.

Consistent reports regarding this secure headers, their usage, any changes to existing headers.

Additional resources

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.