Closed LiamRiddell closed 3 years ago
Thank you for raising this pull request. Even though this is marked as deprecated, there are still many frameworks still using 1; mode=block
, which is not totally wrong per say. I would recommend enhancing this class to allow multiple valid values for the same header. An idea on how to do this:
SECURITY_HEADERS
a map, where the header name is the keyX-XSS-Protection
will have 2getMissingSecurityHeaders
use an anyMatch
for possible values associated to each headerThis is now implemented in https://github.com/Endava/cats/releases/tag/cats-6.0.5
Modified the
CheckSecurityHeadersFuzzer.java
to check thatX-XSS-Protection
header is disabled in order to align with the OWASP standards. As most browser vendors have deprecated or removed this feature due to the fact it can introduce additional security issues. Please view the following references:OWASP:
Mozilla Developer Network Web Docs:
References: OWASP - https://owasp.org/www-project-secure-headers/#x-xss-protection MDN - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection