Add reference to the OWASP Secure Headers Project

[righettod]

Hi,

Are you agree with the idea to add a reference to the OWASP Secure Headers Project into the following area:

• Suggested Reading

Do not hesitate to contact me if we can push the integration a little further with the OSHP 😃

Reference issue on the OSHP working plan: oshp/oshp-tracking#3

Thank you very much in advance 😃

[rbsec]

I think that it's certainly a good idea to add links to it, but I'm not sure that the Suggested Reading appendix is the best place. Because to be frank, I suspect that most people don't read appendices.

Perhaps it would be better to add more specific links to the relevant sections - so for example in the Test HTTP Test Transport Security WSTG page, we could link to the Strict Transport Security section of the Secure Headers Project.

@righettod are those section links in the SHP considered stable, or should we be linking to somewhere else?

[righettod]

@rbsec Thanks a lot for your feedback.

SHP provide also the information as JSON files for header to add and headers to remove:

• https://owasp.org/www-project-secure-headers/ci/headers_add.json
• https://owasp.org/www-project-secure-headers/ci/headers_remove.json

Information regarding header to add and header to remove, than can disclose information, are located here:

https://owasp.org/www-project-secure-headers/index.html#div-bestpractices

[ThunderSon]

@rbsec the problem there is that you can't link straight to sections on the owasp website, you can only link to divs (like dominique did). I agree with that proposal, having HSTS for example linked in the references of that section is better than just adding it to the suggested readings in the appendix. It'd provide better value.

Not sure how to best go at this with the weak linking we have with the OWASP website 😕 Hi @righettod !! Good to see you around :)

[righettod]

Hi @ThunderSon and @rbsec

It's good to see you around too ❤️

I performed some tests regarding the linking to headers and even if there is html anchors for the different headers, the tab feature of the OWASP site template systems prevent the direct pointing because I have no way to trigger a tab switch from an anchor 😭

I see in PL mailing list that the OWASP site design will be changed so perhaps the new design will allow such linking 🤞

[righettod]

🤔 I will continue to dig to try to find a way to achieve a direct linking using the current site template systems...

📡 I will keep you posted about this point.

[ThunderSon]

We had some pain points with them before and we raised them to Harold back in the days. Yeah I'm hoping for an improved experience overall.

[righettod]

Thanks for the info 😃

[kingthorin]

From what I've heard the proposed changes for the site only deal with the projects landing page (it's unclear to me why it's so limited, I'm hoping I've misunderstood somehow).

I wonder if we could convince the SHP to use real pages instead of tabs.

[righettod]

As always, it is a matter of time available to made the change but we (SHP team) will keep this in mind in our roadmap 😃

Indeed, regarding myself, I need to learn how to change the MD syntax and file structure to move to pages.

[kingthorin]

That's fair, I totally get that.

[righettod]

I updated the related point C of our roadmap with such migration: https://github.com/oshp/oshp-tracking/issues/16

[righettod]

Hi,

After looking again at referencing OSHP in the WSTG, I think it's fine as it is now. Indeed, the WSTG references the CSS, and the CSS references OSHP for the header topics so that's OK.

Additionally, we have completed the integration with the OpenCRE project, so we (OSHP) are now reachable for HTTP header lookup.

Anyway, thanks for the discussion on this topic 🥰