OWASP / www-project-secure-headers

The OWASP Secure Headers Project
https://owasp.org/www-project-secure-headers/
Apache License 2.0
135 stars 36 forks source link

References aren't clickable and other cleanup #15

Closed davewichers closed 2 years ago

davewichers commented 4 years ago

Can someone:

righettod commented 3 years ago

Hello, Feel free to submit a PR 😃

davewichers commented 3 years ago

I have my own project to work on.

righettod commented 3 years ago

@riramar Perhaps the following syntax can be used to quickly convert all existing text links as clickable links:

<https://stackoverflow.com/>
righettod commented 3 years ago

Regarding the broken links, the following approach can be used in a GH action pipeline:

# npm i -D markdown-link-check
$ find *.md -exec npx markdown-link-check {} \;

FILE: index.md
[✖] https://owasp.org/www-project-secure-headers/&quot;
[✓] https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project
[✓] https://github.com/adamaveray
[✓] https://twitter.com/manicode

4 links checked.

ERROR: 1 dead links found!
[✖] https://owasp.org/www-project-secure-headers/&quot; → Status: 404

FILE: info.md
[✓] https://github.com/riramar/hsecscan
[✓] https://github.com/oshp/

2 links checked.

FILE: leaders.md
[✓] mailto:ricardo.iramar@owasp.org
[✓] mailto:alexandre.fmenezes@owasp.org

2 links checked.

FILE: README.md
[✓] https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project
[✓] https://github.com/adamaveray
[✓] https://twitter.com/manicode

3 links checked.

FILE: tab_compatibility.md
[✓] https://blogs.windows.com/msedgedev/2015/06/09/http-strict-transport-security-comes-to-internet-explorer-11-on-windows-8-1-and-windows-7/
[✓] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
[✓] https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
[✓] https://caniuse.com/#search=HSTS
[✓] https://caniuse.com/#search=X-Frame-Options
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
[✓] https://caniuse.com/#search=Content%20Security%20Policy
[✓] https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
[✓] https://caniuse.com/#search=Feature-Policy
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
[✓] https://caniuse.com/#search=Public%20Key%20Pinning
[✓] https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ
[✓] https://www.chromestatus.com/feature/5903385005916160
[✓] https://www.chromestatus.com/feature/5677171733430272
[✓] https://wiki.mozilla.org/Security/Features/XSS_Filter
[✓] https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data#browser_compatibility
[✓] https://www.chromestatus.com/feature/4713262029471744
[✓] https://caniuse.com/?search=clear-site-data
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#browser_compatibility
[✓] https://caniuse.com/?search=Cross-Origin-Embedder-Policy
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy#browser_compatibility
[✓] https://caniuse.com/?search=Cross-Origin-Opener-Policy
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy#browser_compatibility
[✓] https://caniuse.com/?search=Cross-Origin-Resource-Policy

26 links checked.

FILE: tab_headers.md
[✓] https://tools.ietf.org/html/rfc6797
[✓] https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
[✓] https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security.html
[✓] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
[✓] https://www.chromium.org/hsts
[✓] https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
[✓] https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html
[✓] https://tools.ietf.org/html/rfc7034
[✓] https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01
[✓] https://tools.ietf.org/html/draft-ietf-websec-frame-options-00
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
[✓] https://owasp.org/www-community/attacks/Clickjacking
[✓] https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
[✓] https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx
[✓] https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/
[✓] https://www.w3.org/TR/CSP/
[✓] https://developer.mozilla.org/en-US/docs/Web/Security/CSP
[✖] https://owasp.org/www-community/attacks/Content_Security_Policy
[✓] https://scotthelme.co.uk/content-security-policy-an-introduction/
[✓] https://report-uri.io
[✓] https://content-security-policy.com
[✓] https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
[✓] https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
[✓] https://www.perpetual-beta.org/weblog/security-headers.html#rule-8470-2-establish-a-cross-domain-meta-policy
[✓] https://danielnixon.org/http-security-headers/
[✓] https://rorsecurity.info/portfolio/new-http-headers-for-more-security
[✓] https://github.com/twitter/secureheaders/issues/88
[✓] https://www.w3.org/TR/referrer-policy/
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
[✓] https://w3c.github.io/webappsec-clear-site-data/
[✓] https://caniuse.com/?search=clear-site-data
[✓] https://www.chromestatus.com/feature/4713262029471744
[✓] https://github.com/w3c/webappsec-clear-site-data
[✓] https://github.com/w3c/webappsec-clear-site-data/tree/master/demo
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)
[✓] https://html.spec.whatwg.org/multipage/origin.html#coep
[✓] https://caniuse.com/?search=Cross-Origin-Embedder-Policy
[✓] https://web.dev/coop-coep/
[✓] https://web.dev/why-coop-coep/
[✓] https://xsleaks.dev/
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
[✓] https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies
[✓] https://caniuse.com/?search=Cross-Origin-Opener-Policy
[✓] https://github.com/xsleaks/xsleaks
[✓] https://portswigger.net/daily-swig/xs-leak
[✓] https://portswigger.net/research/xs-leak-detecting-ids-using-portal
[✓] https://en.wikipedia.org/wiki/Side-channel_attack
[✓] https://spectreattack.com/
[✓] https://www.scip.ch/en/?labs.20160414
[✓] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
[✓] https://developer.mozilla.org/en-US/docs/Glossary/Site
[✓] https://developer.mozilla.org/en-US/docs/Glossary/Origin
[✓] https://resourcepolicy.fyi/#corp-and-isolation
[✓] https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
[✓] https://caniuse.com/?search=Cross-Origin-Resource-Policy
[✓] https://resourcepolicy.fyi/
[✓] https://w3c.github.io/webappsec-feature-policy/#permissions-policy-http-header-field
[✓] https://w3c.github.io/webappsec-feature-policy/document-policy#document-policy-http-header
[✓] https://caniuse.com/#search=Feature-Policy
[✓] https://w3c.github.io/webappsec-feature-policy/
[✓] https://scotthelme.co.uk/a-new-security-header-feature-policy/
[✓] https://github.com/w3c/webappsec-feature-policy/blob/master/features.md
[✓] https://scotthelme.co.uk/using-security-features-to-do-bad-things/
[✓] https://tools.ietf.org/html/rfc7469
[✓] https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning#HTTP_pinning
[✓] https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
[✓] https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
[✓] https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html
[✓] https://labs.detectify.com/2016/07/05/what-hpkp-is-but-isnt/
[✓] https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
[✓] https://scotthelme.co.uk/im-giving-up-on-hpkp/
[✓] https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ
[✓] https://www.chromestatus.com/feature/5677171733430272
[✓] https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-08
[✓] https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02
[✖] https://httpwg.org/http-extensions/expect-ct.html
[✓] https://scotthelme.co.uk/a-new-security-header-expect-ct/
[✓] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
[✓] https://www.chromestatus.com/feature/5021976655560704
[✓] https://bugzilla.mozilla.org/show_bug.cgi?id=528661
[✓] https://blogs.windows.com/windowsexperience/2018/07/25/announcing-windows-10-insider-preview-build-17723-and-build-18204/
[✓] https://github.com/zaproxy/zaproxy/issues/5849
[✓] https://scotthelme.co.uk/security-headers-updates/#removing-the-x-xss-protection-header
[✓] https://portswigger.net/daily-swig/google-chromes-xss-auditor-goes-back-to-filter-mode
[✓] https://owasp.org/www-community/attacks/xss/
[✓] https://www.virtuesecurity.com/blog/understanding-xss-auditor/
[✓] https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
[✓] http://zinoui.com/blog/security-http-headers#x-xss-protection

91 links checked.

ERROR: 2 dead links found!
[✖] https://owasp.org/www-community/attacks/Content_Security_Policy → Status: 404
[✖] https://httpwg.org/http-extensions/expect-ct.html → Status: 404

FILE: tab_technical.md
[✓] https://github.com/riramar/hsecscan
[✓] https://github.com/oshp/headers/
[✓] https://securityheaders.com/
[✓] https://observatory.mozilla.org/
[✓] https://github.com/mozilla/http-observatory/
[✓] https://github.com/mozilla/http-observatory-website/
[✖] https://www.htbridge.com/websec/
[✓] https://cyh.herokuapp.com/cyh
[✓] https://chrome.google.com/webstore/detail/recx-security-analyser/ljafjhbjenhgcgnikniijchkngljgjda
[✓] https://github.com/frickelbruder/kickoff
[✓] https://github.com/drwetter/testssl.sh
[✓] https://github.com/Santandersecurityresearch/DrHeader
[✓] https://github.com/AmitKulkarni9/API-Security
[✓] https://github.com/ovh/venom
[✓] https://owasp.org/www-project-secure-headers/
[✓] https://gist.github.com/righettod/f63548ebd96bed82269dcc3dfea27056
[✓] https://github.com/twitter/secureheaders
[✓] https://shim.codeplex.com/
[✓] https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html
[✓] https://github.com/aidantwoods/SecureHeaders
[✓] https://github.com/frodsan/rack-secure_headers
[✓] https://github.com/helmetjs/helmet
[✓] https://github.com/seanmonstar/hood
[✓] https://github.com/nlf/blankie
[✓] https://docs.nwebsec.com
[✓] https://github.com/mozilla/django-csp
[✓] https://github.com/jsocol/commonware/
[✓] https://github.com/sdelements/django-security
[✓] https://github.com/cakinney/secure
[✓] https://github.com/kr/secureheader
[✓] https://github.com/anotherhale/secure_headers
[✓] https://github.com/palantir/dropwizard-web-security
[✓] https://github.com/rwjblue/ember-cli-content-security-policy/
[✓] https://github.com/amenezes/http_hardening
[✓] https://forge.puppet.com/amenezes/http_hardening

35 links checked.

ERROR: 1 dead links found!
[✖] https://www.htbridge.com/websec/ → Status: 404

FILE: tab_top.md
No hyperlinks found!

0 links checked.

@riramar : Once PR #23 is handled, I can propose a GH pipeline if you are OK...

righettod commented 3 years ago

For the check of the links, PR #24 was proposed 😃

righettod commented 3 years ago

Status:

righettod commented 3 years ago

For the issue with the table size, I have found the following trick:

image

riramar commented 2 years ago

Let's close this issue and open one issue for each item if required.