Feature request - output all tested headers, even if they don't appear in the response

[pnieuwkamp]

Our auditors love to blindly test websites and then complain about missing headers (who puts a CSP on a 301?!?), so I would like to automate testing for them. We're already using testssl.sh for other tests, and it is showing the same headers I'm interested in, so this is appears to be the ideal tool for the job.

Problem is, it only outputs them if they are actually in the response. When testing multiple websites, it's a lot easier to grep the appropriate lines and show that in my report (like grep Content-Security-Policy output.csv | grep -v $magic_constant), than it is to grep the lines with 'Content-Security-Policy' figure out which ones are missing.

I made a modification to the script so I can tell it to always outputs all headers, but I'm afraid haven't a clue how to turn this into a pull request. I do have a diff (against 3.1dev from today) though:

158a159
> SHOW_EACH_H=${SHOW_EACH_H:-false}       # where security headers are tested show just the ones sent by the server
3218c3219,3225
<           if [[ $? -ge 1 ]]; then
---
>           num_matches=$?
>           if [[ $num_matches -ge 1 ]] || "$SHOW_EACH_H"; then
>              if [[ $num_matches -lt 1 ]]; then
>                     svrty="LOW"
>                     HEADERVALUE="Not provided in response, but --show-each-header was specified"
>                     "$first" || out "$spaces"
>                fi
19237a19245
>        --show-each-header            display all security headers tested even if they are empty or missing
21970a21979,21981
>                     ;;
>                --show[-_]each[-_]header)
>                     SHOW_EACH_H=true

I'm using severity LOW as that was already in run_security_headers() but not used for any of the headers, and for the purpose of this script they aren't warnings or critical issues.

[drwetter]

Hi,

couple of things....

• Where do you wan to see the header (screen / html / csv/ json?)
• The header is in $HEADERFILE already (see run_http_header())

Keep in mind: The headers are changing often with the URL path supplied. testssl.sh gives you a good clue though for the URL supplied. If you want to get serious you need to check different paths. For that you basically can use testssl.sh also but maybe a client proxy is better?

Cheers, Dirk

[pnieuwkamp]

HI,

• I would like to see them in the CSV, but that shouldn't matter as testssl.sh is outputting them to all four?
• The code to output the headers is also there (run_security_headers()), so I'm using that (and thus by proxy indeed $HEADERFILE)

I do plan to check several URLs: One for every scenario that should hit a responder policy on the ADC (max 2) and the main page from the back-end, but it's not meant as an exhaustive deep-dive.

Edit: I've edited my first post so the diff is more clear; like I said I'm not too familiar with Github, but I'm learning :) To 'explain' what I've done there:

• I've added a variable (default false, using $ENV, like the others)
• I've added it to the help text that gets shown on the command line
• I've added it to the command line argument parser
• I've changed the code in run_security_headers() from 'output the header if it exists' to 'output the header if it exists or if the user wants to see all headers', and then of course some code to maintain the layout, give it a severity, and to show the distinction between an empty header and a missing one. That last bit might be a bit redundant as the severity already tells you though.