ZAP Scan Baseline Report - Githubissues

FORTH-ICS-INSPIRE / artemis-web

The web frontend of the ARTEMIS software project (https://github.com/FORTH-ICS-INSPIRE/artemis).

BSD 3-Clause "New" or "Revised" License

5 stars 8 forks source link

ZAP Scan Baseline Report #86

Open github-actions[bot] opened 3 years ago

github-actions[bot] commented 3 years ago

Site: https://localhost New Alerts
- Timestamp Disclosure - Unix [10096] total: 15:
- X-Content-Type-Options Header Missing [10021] total: 11:
- Modern Web Application [10109] total: 6:
- X-Frame-Options Header Not Set [10020] total: 2:
  - https://localhost/
  - https://localhost
- Content Security Policy (CSP) Header Not Set [10038] total: 4:
- Information Disclosure - Suspicious Comments [10027] total: 11:
- Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] total: 4:
- Incomplete or No Cache-control Header Set [10015] total: 3:
- Application Error Disclosure [90022] total: 1:
  - https://localhost/_next/static/chunks/pages/_error-b124520ada623f3bf8a0.js

View the following link to download the report. RunnerID:731435512

slowr commented 3 years ago

@vkotronis this is the new report with nginx proxy in front.

There are some missing stuff that we had before like CSP: https://github.com/FORTH-ICS-INSPIRE/artemis/blob/5b12a9d79a2785d53182244b2eec0d30f87aad96/frontend/webapp/core/__init__.py#L48

Then we need to hide some stuff in nginx configuration and lastly, we can create a file in the repo for some false-negatives.

(more info if you download the report)

vkotronis commented 3 years ago

@slowr I approved the nginx PR, could you also create an issue with the missing CSP details?

github-actions[bot] commented 3 years ago

Site: https://localhost New Alerts
- Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec) [10035] total: 11:
- CSP: script-src unsafe-inline [10055] total: 3:
- CSP: style-src unsafe-inline [10055] total: 3:
- CSP: Wildcard Directive [10055] total: 3:
- CSP: Notices [10055] total: 3:
  Resolved Alerts
- X-Content-Type-Options Header Missing [10021] total: 11:
- X-Frame-Options Header Not Set [10020] total: 2:
- Content Security Policy (CSP) Header Not Set [10038] total: 4:
- Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] total: 4:

View the following link to download the report. RunnerID:784860073

github-actions[bot] commented 3 years ago

Site: https://localhost New Alerts
- X-Content-Type-Options Header Missing [10021] total: 11:
- X-Frame-Options Header Not Set [10020] total: 2:
  - https://localhost/
  - https://localhost
- Content Security Policy (CSP) Header Not Set [10038] total: 4:
- Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] total: 4:
  Resolved Alerts
- Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec) [10035] total: 11:
- CSP: script-src unsafe-inline [10055] total: 3:
- CSP: style-src unsafe-inline [10055] total: 3:
- CSP: Wildcard Directive [10055] total: 3:
- CSP: Notices [10055] total: 3:

View the following link to download the report. RunnerID:839280981