Endava / cats

CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance.

Apache License 2.0

1.11k stars 75 forks source link

X-Frame-Options vs Content-Security-Policy in CheckSecurityHeaders #53

Closed NicolasCARPi closed 1 year ago

NicolasCARPi commented 1 year ago

Hello,

First, let me tell you that cats is a really great piece of software, congrats!

Issue

The fuzzer CheckSecurityHeaders checks if X-Frame-Options is present in the response, but as can be seen on MDN:

2022-12-02-173413_789x112_scrot

My app doesn't have a X-Frame-Options header, but has a CSP with frame-ancestors 'none'.

I suggest that the fuzzer validates the test if this string is present in the CSP header.

Best, ~Nico

en-milie commented 1 year ago

Hi @NicolasCARPi. Thanks! I hope it will prove useful.

Makes sense. I'll update the fuzzer to check for this header.

en-milie commented 1 year ago

Hi @NicolasCARPi. This is available in https://github.com/Endava/cats/releases/tag/cats-8.4.0.

NicolasCARPi commented 1 year ago

Thank you Madalin!