Skip to content

Commit

Permalink
Feature: 1 new insecure check (Referrer-Policy - Duplicated Values)
Browse files Browse the repository at this point in the history
  • Loading branch information
@rfc-st
rfc-st committed Jan 11, 2025
1 parent 057865c commit 407ef3a
Show file tree
Hide file tree
Showing 5 changed files with 27 additions and 10 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
:heavy_check_mark: 58 [checks](#checks-enabled-headers) for enabled security-related HTTP response headers.<br />
:heavy_check_mark: 14 [checks](#checks-missing-headers) for missing security-related HTTP response headers (the ones I consider essential).<br />
:heavy_check_mark: 1186 [checks](#checks-fingerprint-headers) for fingerprinting through HTTP response headers.<br />
:heavy_check_mark: 128 [checks](#checks-deprecated-headersprotocols-and-insecure-values) for deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
:heavy_check_mark: 129 [checks](#checks-deprecated-headersprotocols-and-insecure-values) for deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
:heavy_check_mark: Checks compliance with OWASP <a href="https://owasp.org/www-project-secure-headers/#div-bestpractices" target="_blank">'Secure Headers Project'<a> Best Practices.<br />
:heavy_check_mark: SSL/TLS checks: requires the **amazing** https://testssl.sh/.<br />
:heavy_check_mark: Browser support references for enabled HTTP security headers: provided by https://caniuse.com/.<br />
Expand Down
1 change: 1 addition & 0 deletions additional/insecure.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ Proxy-Authenticate: No Valid Directives
Proxy-Authenticate: Unsafe Value
Public-Key-Pins: Deprecated Header
Public-Key-Pins-Report-Only: Deprecated Header
Referrer-Policy: Duplicated Values
Referrer-Policy: Incorrect Value
Referrer-Policy: Recommended Values
Referrer-Policy: Unsafe Value
Expand Down
10 changes: 7 additions & 3 deletions humble.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2148,8 +2148,10 @@ def custom_help_formatter(prog):
'PrivateToken', 'SCRAM-SHA-1', 'SCRAM-SHA-256', 'vapid')

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
t_ref_secure = ('strict-origin', 'strict-origin-when-cross-origin',
'no-referrer-when-downgrade', 'no-referrer')
# https://www.w3.org/TR/referrer-policy/#information-leakage
t_ref_secure = ('same-origin', 'strict-origin',
'strict-origin-when-cross-origin', 'no-referrer',
'no-referrer-when-downgrade')
t_ref_values = ('no-referrer', 'no-referrer-when-downgrade', 'origin',
'origin-when-cross-origin', 'same-origin', 'strict-origin',
'strict-origin-when-cross-origin', 'unsafe-url')
Expand Down Expand Up @@ -2502,8 +2504,10 @@ def custom_help_formatter(prog):

referrer_header = headers_l.get('referrer-policy', '')
if referrer_header and '44' not in skip_list:
if ',' in referrer_header:
print_details('[irefd_h]', '[irefd]', 'd', i_cnt)
if not any(elem in referrer_header for elem in t_ref_secure):
print_details('[iref_h]', '[iref]', 'm', i_cnt)
print_details('[iref_h]', '[iref]', 'd', i_cnt)
if 'unsafe-url' in referrer_header:
print_details('[irefi_h]', '[irefi]', 'd', i_cnt)
if not any(elem in referrer_header for elem in t_ref_values):
Expand Down
12 changes: 9 additions & 3 deletions l10n/details.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -590,6 +590,9 @@
[ipkpr_h]
Public-Key-Pins-Report-Only (Deprecated Header)

[irefd_h]
Referrer-Policy (Duplicated Values)

[iref_h]
Referrer-Policy (Recommended Values)

Expand Down Expand Up @@ -1072,11 +1075,14 @@ HTTP Response Headers
Include at least one valid directive.
Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Transfer-Encoding

[iref]
Use 'strict-origin' or 'strict-origin-when-cross-origin' if there are sensitive resources.
Or fall back to 'no-referrer-when-downgrade' or even 'no-referrer'.
[irefd]
This header, or its values, may be duplicated.
Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

[iref]
Use a restrictive value if there are sensitive resources in the URL.
Ref: https://www.w3.org/TR/referrer-policy/#information-leakage

[islogin]
Include at least one valid directive.
Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Login
Expand Down
12 changes: 9 additions & 3 deletions l10n/details_es.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -591,6 +591,9 @@
[ipkpr_h]
Public-Key-Pins-Report-Only (Cabecera obsoleta)

[irefd_h]
Referrer-Policy (Valores duplicados)

[iref_h]
Referrer-Policy (Valores recomendados)

Expand Down Expand Up @@ -1077,11 +1080,14 @@ Cabeceras de respuesta HTTP
Incluya, al menos, una directiva correcta.
Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Transfer-Encoding

[iref]
Si hay datos sensibles utilice 'strict-origin' o 'strict-origin-when-cross-origin'.
O incluso 'no-referrer-when-downgrade' o 'no-referrer'.
[irefd]
Esta cabecera, o sus valores, pueden estar duplicados.
Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

[iref]
Utiliza un valor restrictivo si hay recursos sensibles en la URL.
Ref: https://www.w3.org/TR/referrer-policy/#information-leakage

[islogin]
Incluya, al menos, una directiva correcta.
Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Login
Expand Down

0 comments on commit 407ef3a

Please sign in to comment.