Nmap Development mailing list archives

Re: New NSE Script http-security-headers.nse

From: George Chatzisofroniou <sophron () latthi com>
Date: Thu, 1 Jun 2017 15:05:42 +0300

Hi Vinamra,

Do you think you can also add a check for the "Cache-Control",
"Pragma" and "Expires" headers? While these are not strictly
"security" headers, in web applications that transmit sensitive
information it is recommended to disable client-side caching by making
use of these headers.

More information here:
https://stackoverflow.com/questions/49547/how-to-control-web-page-caching-across-all-browsers

George

On Wed, May 31, 2017 at 2:23 PM, Robin Wood <robin@digi.ninja> wrote:

Why not check the new referrer header as well?

https://scotthelme.co.uk/a-new-security-header-referrer-policy/

Robin


On Wed, 31 May 2017, 12:19 Vinamra Bhatia, <vinamrabhatia8 () gmail com> wrote:


Hello All,

This is regarding a NSE Script my mentor and I were working last week.

The script checks for the HTTP response headers related to security given
in OWASP Secure Headers Project, shows whether they are configured and gives
a brief description of them.

The script requests the server for the header with http.head and parses it
to list headers found with their configurations. It checks for HSTS(HTTP
Strict Transport Security), HPKP(HTTP Public Key Pins), X-Frame-Options,
X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy and
X-Permitted-Cross-Domain-Policies.

There is another script titled http-hsts-verify. The new script already
includes the checks provided by http-hsts-verify and does much more
comprehensive testing. Hence when we commit the new script, we should remove
the other one.

Github PR for the same https://github.com/nmap/nmap/pull/793

We would love to take suggestions on this. Thanks and have a  great day!

With Regards
Vinamra


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

New NSE Script http-security-headers.nse Vinamra Bhatia (May 31)
- Re: New NSE Script http-security-headers.nse Robin Wood (May 31)
  - Re: New NSE Script http-security-headers.nse George Chatzisofroniou (Jun 01)