Nmap Development mailing list archives
Re: New NSE Script http-security-headers.nse
From: George Chatzisofroniou <sophron () latthi com>
Date: Thu, 1 Jun 2017 15:05:42 +0300
Hi Vinamra, Do you think you can also add a check for the "Cache-Control", "Pragma" and "Expires" headers? While these are not strictly "security" headers, in web applications that transmit sensitive information it is recommended to disable client-side caching by making use of these headers. More information here: https://stackoverflow.com/questions/49547/how-to-control-web-page-caching-across-all-browsers George On Wed, May 31, 2017 at 2:23 PM, Robin Wood <robin@digi.ninja> wrote:
Why not check the new referrer header as well? https://scotthelme.co.uk/a-new-security-header-referrer-policy/ Robin On Wed, 31 May 2017, 12:19 Vinamra Bhatia, <vinamrabhatia8 () gmail com> wrote:Hello All, This is regarding a NSE Script my mentor and I were working last week. The script checks for the HTTP response headers related to security given in OWASP Secure Headers Project, shows whether they are configured and gives a brief description of them. The script requests the server for the header with http.head and parses it to list headers found with their configurations. It checks for HSTS(HTTP Strict Transport Security), HPKP(HTTP Public Key Pins), X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy and X-Permitted-Cross-Domain-Policies. There is another script titled http-hsts-verify. The new script already includes the checks provided by http-hsts-verify and does much more comprehensive testing. Hence when we commit the new script, we should remove the other one. Github PR for the same https://github.com/nmap/nmap/pull/793 We would love to take suggestions on this. Thanks and have a great day! With Regards Vinamra _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- New NSE Script http-security-headers.nse Vinamra Bhatia (May 31)
- Re: New NSE Script http-security-headers.nse Robin Wood (May 31)
- Re: New NSE Script http-security-headers.nse George Chatzisofroniou (Jun 01)
- Re: New NSE Script http-security-headers.nse Robin Wood (May 31)