Hi,

In order to allow dev/infra teams to monitor or check the configuration of the headers on a site, I have created a quick "test suites" based on the tools VENOM and the OSHP.

Why VENOM?

It does not need any installation, you grab a release and run the test suite wanted. To customise the test suites, you only edit the YAML file with your context so you do not need to have coding skills to adapt the suites.

It allows to generate reports in different formats like JUNIT for example that can be easily integrated in a CI/CD pipeline.

My proposal

OSHP can provide a base test suites (just a maintained YAML file) aligned with the recommendations on the site. The goal is to allow OSHP users to quickly set up verification of the application of the recommendation proposed and easily customise the test suites in case of need. As the tool provide release for different OS as a single file, the proposed test suites do not require any extra installation or dependencies.

The tests suite

Test suites as a Gist.

It is just a proposal, feel free to send it to the trash if it does not goes into the way the project want to go 😃

Thanks a lot in advance 😃

Description

See #58

Additional resources

No response

Description

Perform public to scan websites and view stats regarding these headers. Automated scanning of the top 1m sites on the web; filtering of said sites to view stats across industries and countries; published database dumps for public consumption/tools; scanning of individual sites; comparing multiple scanned sites.

Consistent reports regarding this secure headers, their usage, any changes to existing headers.

Additional resources

• https://github.com/oshp/headers

Just writing this down as a reminder since I don't really have time atm, or if someone want to take this on:

• Probably need to add more feature identifiers, see https://github.com/w3c/webappsec-feature-policy/blob/master/features.md
• The vr feature identifier is obsolete, and should be replaced with xr-spatial-tracking
• vibrate was never implemented anywhere, nor specced anywhere, so as such it is invalid

Additionally, probably want to track w3c/webappsec-permissions-policy#359 as the Feature-Policy HTTP header may be renamed in the future.

New headers to keep an eye out for:

• Cross-Origin-Embedder-Policy (COEP)
• Cross-Origin-Opener-Policy (COOP)
• Cross-Origin-Resource-Policy (CORP) (MDN link)

See related articles from web.dev:
Making your website "cross-origin isolated" using COOP and COEP
Why you need "cross-origin isolated" for powerful features

From MDN on X-XSS-Protection (I added this information to MDN, but you can check the linked resources to confirm):

Chrome has removed their XSS Auditor
Firefox have not, and will not implement X-XSS-Protection
Edge have retired their XSS filter

In short, the header isn't useful in modern browsers. Consider removing?

I am keen to contribute to this project. I have created below repository on how to do API-Security using OWASP Secure Headers Project. This is created using Python. This can be included here as an example or use-case. Please go over below repository and let me know your thoughts.

https://github.com/AmitKulkarni9/API-Security

Thanks,
Amit Kulkarni

In the deprecation of X-XSS-Protection Header it states that it will being security issues to the client side without specifying details. Will it be possible to state why ?

Will there be an impact to the confidentiality and integrity data if some one still applies this header?

Sorry if I don't understand well how https://github.com/OWASP/www-project-secure-headers/blob/master/monitoring_technical_references_dashboard.md updates works, but in my specific case (https://github.com/rfc-st/humble/) the panel indicates that my repository has not been updated for two months, when two weeks ago I published my last release and every weekend there are new commits (the last one twenty minutes ago!).

Thank you!

Can someone:

• turn all the many references in this article to actual links (On all tabs).
• While you are at it, can you make sure the links are still valid and remove any that are not.
• Fix the table under Expect-CT so the 1st column isn't 1 character wide
• Look at all the other tables and fix similar issues (e.g., the Public Key Pinning Extension for HTTP (HPKP) table's 1st column should be wider.

There's essentially no browser support for this header, see MDN compat data. I think it's safe to say that developers shouldn't spend time on implementing public key pins.

⚠️ Warning: This header will likely become obsolete in June 2021

should it be move from "Almost deprecated" to "Deprecated" ?

Hello,

Regarding the Technical References Dashboard (https://github.com/OWASP/www-project-secure-headers/blob/master/monitoring_technical_references_dashboard.md): when and how do you update it?

The latest version of my tool (https://github.com/rfc-st/humble/) appears on that page dated 2022-09-05, but just today I made several changes; and generated a new release two weeks ago.

Thanks.

Hi,

Add new CORS header Access-Control-Request-Private-Networkand related information flow in the section Miscellaneous.

Sources:

• https://portswigger.net/daily-swig/chrome-to-bolster-csrf-protections-with-cors-preflight-checks-on-private-network-requests
• https://developer.chrome.com/blog/private-network-access-preflight/
• https://wicg.github.io/private-network-access/
• https://github.com/WICG/private-network-access

💬 March 2022 update:

💬 June 2022 update:

@riramar You can assign it to me 😃

Description

Contact and work with the following projects to define the way to integrate with them:

Below is a possible integration based on project goals.

OSHP information can be:

• Consumed by the ASVS during the specification of the protection to include.
• Consumed by the Proactive Controls / Cheat Sheet Series during the implementation.
• Validated with ZAP during app assessment or scanning by CI/CD pipeline.
• Consumed by the ModSecurity CRS for the adding of protection at WAF level.

Relation overview:

erDiagram
    ASVS |o--|| OSHP : Consumes
    ProactiveControls |o--|| OSHP : Consumes
    CheatSheetSeries |o--|| OSHP : Consumes
    ModSecurityCRS |o--|| OSHP : Consumes
    ZAP |o--|| OSHP : Consumes

Additional resources

• https://owasp.org/projects/

Currently Edge, Firefox, Chrome and Opera no longer support X-XSS-Protection, which was faded away in favor of the more flexible and reliable Content-Security-Policy which have the level 2 supported by all major browsers.

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
https://caniuse.com/#search=X-Xss-Protection

I will issue a PR soon with this fix.

RFC:

• https://www.w3.org/TR/permissions-policy-1/

Documentation:

• https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md

Support:

• https://caniuse.com/permissions-policy
• https://www.chromestatus.com/feature/5745992911552512

This issue can be assigned to me if you are ok with this add 😃

problem:
when linking to a specific header information like:
https://owasp.org/www-project-secure-headers/#x-permitted-cross-domain-policies
you can't see it right away because the Response Headers tab is not selected.

cause:
tab selection by url also uses a fragment and you can't have both fragments in the url:
https://owasp.org/www-project-secure-headers/#div-headers

possible solutions:

move tab selection to query string:
https://owasp.org/www-project-secure-headers/?tab=response-headers#x-permitted-cross-domain-policies

or slug:
https://owasp.org/www-project-secure-headers/response-headers/#x-permitted-cross-domain-policies

Per Mozilla, X-Frame-Options header is obsolete. Should not be a required header. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Description

Point raised:

• Considered "Documentation" but points to various tools in https://github.com/oshp. Unclear what the main aspect is meant to be.
• Should this just be a cheat sheet (except for all those tools...)
• Promotion request was submitted for the project website repo but not the code repo?
• Project website has several informational tabs on HTTP headers but does not explain the tool found at https://github.com/oshp/headers at all.
• GitHub main project had last update 9 months ago. Hard to tell if this should be considered "finished" or already on its way to "outdated".
• Link http://oshp.bsecteam.com/ mentioned on GitHub causes uBlockOrigin warning and redirects to http://gwrtheyrn-rot.com/zcredirect?visitid=afc55dc0-a191-11ec-9d32-12b602a07ea5&type=js&browserWidth=1920&browserHeight=937&iframeDetected=false.

Additional resources

None

Description

See #77

Additional resources

No response

Hi guys.
Maybe it would be worth mentioning the 'frame-ancestors' CSP rule in the X-Frame-Options section.
Due to https://www.w3.org/TR/CSP11/#frame-ancestors-and-frame-options
What do you think?

Description

Create a parser to grab the headers from https://scans.io/ and populate the MySQL database.

Additional resources

• https://scans.io/

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT:

The Expect-CT will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.

I'm not sure where to look for the source information, but assuming the note is correct, there will be very little reason to use this header. Consider removing?

Currently, the Content-Security-Policy recommendation in this document is as follow:

default-src 'self' data:; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content

Though, according to Google's CSP Evaluator, the data: scheme allows the execution of unsafe scripts and can be used to craft an XSS Attack. For example, an attacker could craft the following url data:text/html,<script>alert('hi');</script>

Content-Security-Policy being very error prone, I don't know how easy it would be to come with a "general" recommendation.

A solution in mind would be to do what Google's CSP evaluator does: Removing the data: scheme and put a warning on self about JSONP and Angular library.

What do you think?