owasp / www-project-secure-headers Goto Github PK
View Code? Open in Web Editor NEWThe OWASP Secure Headers Project
Home Page: https://owasp.org/www-project-secure-headers/
License: Apache License 2.0
The OWASP Secure Headers Project
Home Page: https://owasp.org/www-project-secure-headers/
License: Apache License 2.0
Sorry if I don't understand well how https://github.com/OWASP/www-project-secure-headers/blob/master/monitoring_technical_references_dashboard.md updates works, but in my specific case (https://github.com/rfc-st/humble/) the panel indicates that my repository has not been updated for two months, when two weeks ago I published my last release and every weekend there are new commits (the last one twenty minutes ago!).
Thank you!
Point raised:
https://github.com/oshp
. Unclear what the main aspect is meant to be.https://github.com/oshp/headers
at all.http://oshp.bsecteam.com/
mentioned on GitHub causes uBlockOrigin warning and redirects to http://gwrtheyrn-rot.com/zcredirect?visitid=afc55dc0-a191-11ec-9d32-12b602a07ea5&type=js&browserWidth=1920&browserHeight=937&iframeDetected=false
.None
Currently, the Content-Security-Policy recommendation in this document is as follow:
default-src 'self' data:; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content
Though, according to Google's CSP Evaluator, the data:
scheme allows the execution of unsafe scripts and can be used to craft an XSS Attack. For example, an attacker could craft the following url data:text/html,<script>alert('hi');</script>
Content-Security-Policy being very error prone, I don't know how easy it would be to come with a "general" recommendation.
A solution in mind would be to do what Google's CSP evaluator does: Removing the data:
scheme and put a warning on self
about JSONP and Angular library.
What do you think?
Hi,
In order to allow dev/infra teams to monitor or check the configuration of the headers on a site, I have created a quick "test suites" based on the tools VENOM and the OSHP.
It does not need any installation, you grab a release and run the test suite wanted. To customise the test suites, you only edit the YAML file with your context so you do not need to have coding skills to adapt the suites.
It allows to generate reports in different formats like JUNIT for example that can be easily integrated in a CI/CD pipeline.
OSHP can provide a base test suites (just a maintained YAML file) aligned with the recommendations on the site. The goal is to allow OSHP users to quickly set up verification of the application of the recommendation proposed and easily customise the test suites in case of need. As the tool provide release for different OS as a single file, the proposed test suites do not require any extra installation or dependencies.
It is just a proposal, feel free to send it to the trash if it does not goes into the way the project want to go ๐
Thanks a lot in advance ๐
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT:
The
Expect-CT
will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.
I'm not sure where to look for the source information, but assuming the note is correct, there will be very little reason to use this header. Consider removing?
Perform public to scan websites and view stats regarding these headers. Automated scanning of the top 1m sites on the web; filtering of said sites to view stats across industries and countries; published database dumps for public consumption/tools; scanning of individual sites; comparing multiple scanned sites.
Consistent reports regarding this secure headers, their usage, any changes to existing headers.
Can someone:
Hello,
Regarding the Technical References Dashboard (https://github.com/OWASP/www-project-secure-headers/blob/master/monitoring_technical_references_dashboard.md): when and how do you update it?
The latest version of my tool (https://github.com/rfc-st/humble/) appears on that page dated 2022-09-05, but just today I made several changes; and generated a new release two weeks ago.
Thanks.
RFC:
Documentation:
Support:
This issue can be assigned to me if you are ok with this add ๐
New headers to keep an eye out for:
Cross-Origin-Embedder-Policy
(COEP)Cross-Origin-Opener-Policy
(COOP)Cross-Origin-Resource-Policy
(CORP) (MDN link)See related articles from web.dev:
Making your website "cross-origin isolated" using COOP and COEP
Why you need "cross-origin isolated" for powerful features
Per Mozilla, X-Frame-Options header is obsolete. Should not be a required header. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
problem:
when linking to a specific header information like:
https://owasp.org/www-project-secure-headers/#x-permitted-cross-domain-policies
you can't see it right away because the Response Headers
tab is not selected.
cause:
tab selection by url also uses a fragment and you can't have both fragments in the url:
https://owasp.org/www-project-secure-headers/#div-headers
possible solutions:
move tab selection to query string:
https://owasp.org/www-project-secure-headers/?tab=response-headers#x-permitted-cross-domain-policies
or slug:
https://owasp.org/www-project-secure-headers/response-headers/#x-permitted-cross-domain-policies
I am keen to contribute to this project. I have created below repository on how to do API-Security using OWASP Secure Headers Project. This is created using Python. This can be included here as an example or use-case. Please go over below repository and let me know your thoughts.
https://github.com/AmitKulkarni9/API-Security
Thanks,
Amit Kulkarni
โ ๏ธ Warning: This header will likely become obsolete in June 2021
should it be move from "Almost deprecated" to "Deprecated" ?
Hi,
Add new CORS header Access-Control-Request-Private-Network
and related information flow in the section Miscellaneous.
Sources:
๐ฌ March 2022 update:
๐ฌ June 2022 update:
@riramar You can assign it to me ๐
Just writing this down as a reminder since I don't really have time atm, or if someone want to take this on:
vr
feature identifier is obsolete, and should be replaced with xr-spatial-tracking
vibrate
was never implemented anywhere, nor specced anywhere, so as such it is invalidAdditionally, probably want to track w3c/webappsec-permissions-policy#359 as the Feature-Policy
HTTP header may be renamed in the future.
Create a parser to grab the headers from https://scans.io/ and populate the MySQL database.
Currently Edge, Firefox, Chrome and Opera no longer support X-XSS-Protection
, which was faded away in favor of the more flexible and reliable Content-Security-Policy which have the level 2 supported by all major browsers.
References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
https://caniuse.com/#search=X-Xss-Protection
I will issue a PR soon with this fix.
In the deprecation of X-XSS-Protection Header it states that it will being security issues to the client side without specifying details. Will it be possible to state why ?
Will there be an impact to the confidentiality and integrity data if some one still applies this header?
Hi guys.
Maybe it would be worth mentioning the 'frame-ancestors' CSP rule in the X-Frame-Options section.
Due to https://www.w3.org/TR/CSP11/#frame-ancestors-and-frame-options
What do you think?
See #77
No response
From MDN on X-XSS-Protection
(I added this information to MDN, but you can check the linked resources to confirm):
Chrome has removed their XSS Auditor
Firefox have not, and will not implementX-XSS-Protection
Edge have retired their XSS filter
In short, the header isn't useful in modern browsers. Consider removing?
There's essentially no browser support for this header, see MDN compat data. I think it's safe to say that developers shouldn't spend time on implementing public key pins.
Contact and work with the following projects to define the way to integrate with them:
Below is a possible integration based on project goals.
OSHP information can be:
Relation overview:
erDiagram
ASVS |o--|| OSHP : Consumes
ProactiveControls |o--|| OSHP : Consumes
CheatSheetSeries |o--|| OSHP : Consumes
ModSecurityCRS |o--|| OSHP : Consumes
ZAP |o--|| OSHP : Consumes
See #58
No response
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.