ZAP Full Scan Report - Githubissues

github-actions[bot] commented 8 months ago

Site: http://localhost:8080 New Alerts
- Bypassing 403 [40038] total: 5:
- Vulnerable JS Library [10003] total: 1:
  - http://localhost:8080/js/bootstrap-3.4.1.js
- Dangerous JS Functions [10110] total: 3:
- Permissions Policy Header Not Set [10063] total: 11:
- Non-Storable Content [10049] total: 3:
- Storable and Cacheable Content [10049] total: 8:
  Ignored Alerts
- Absence of Anti-CSRF Tokens [10202] total: 3:
- CSP: Wildcard Directive [10055] total: 6:
- CSP: script-src unsafe-eval [10055] total: 6:
- CSP: Header & Meta [10055] total: 3:
- Information Disclosure - Suspicious Comments [10027] total: 16:
- Modern Web Application [10109] total: 3:

View the following link to download the report. RunnerID:6715206329

rugk commented 8 months ago

Storable and Cacheable Content

Do we miss some caching headers for these @elrido?

elrido commented 8 months ago

To me these reports are confusing: The JS and CSS are reported because they are cachable, while the dynamic content is because it's not. There should not be any special headers necessary for browsers to cache static content. For the dynamic content we do emit a limited lifetime for caching as a header.

rugk commented 8 months ago

Maybe it is because that caching then is only a heuristic and not reliable? Did not find a guideline right now, but maybe one should better explicitly specify how long it should cache stuff like this?

PrivateBin / docker-nginx-fpm-alpine

ZAP Full Scan Report #173