Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSE script contribution - http-hsts-verify

From: jah <jah () zadkiel plus com>
Date: Fri, 16 Dec 2016 11:22:30 +0000
On 07/12/16 03:38, Ícaro Torres wrote:


I would like to contribute with a new script NSE in the Nmap Project. It verify if the HSTS is enabled in the web 
servise.


Hi Ícaro,

This is a useful NSE script; thank you for sharing it.  I suggest a few small improvements:-

Make the output concise and use the word "Header" instead of "Banner":-

PORT    STATE SERVICE
443/tcp open  https
| http-hsts-verify:
|   HSTS is configured.
|_  Header: Strict-Transport-Security: max-age=31558150; includeSubDomains
 
and:-

PORT    STATE SERVICE
443/tcp open  https
| http-hsts-verify:
|_  HSTS is not configured.

The information and references can go in the description field of the script, so that when users do:-

nmap --script-help http-hsts-verify

they see something like:-

"""
Verify that HTTP Strict Transport Security is enabled.

HTTP Strict-Transport-Security (HSTS) (RFC 6797) forces a web browser to communicate with a web server over HTTPS.
This script examines HTTP Response Headers to determine whether HSTS is configured.

References: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
"""

Finally, since the script does not use the HTTP Response Body, it should suffice to make a HEAD request:-

response = http.head(host, port, path)

Regards,

jah



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: