Open pnieuwkamp opened 3 years ago
Hi,
couple of things....
$HEADERFILE
already (see run_http_header()
)Keep in mind: The headers are changing often with the URL path supplied. testssl.sh gives you a good clue though for the URL supplied. If you want to get serious you need to check different paths. For that you basically can use testssl.sh also but maybe a client proxy is better?
Cheers, Dirk
HI,
run_security_headers()
), so I'm using that (and thus by proxy indeed $HEADERFILE
)I do plan to check several URLs: One for every scenario that should hit a responder policy on the ADC (max 2) and the main page from the back-end, but it's not meant as an exhaustive deep-dive.
Edit: I've edited my first post so the diff is more clear; like I said I'm not too familiar with Github, but I'm learning :) To 'explain' what I've done there:
$ENV
, like the others)run_security_headers()
from 'output the header if it exists' to 'output the header if it exists or if the user wants to see all headers', and then of course some code to maintain the layout, give it a severity, and to show the distinction between an empty header and a missing one. That last bit might be a bit redundant as the severity already tells you though.
Our auditors love to blindly test websites and then complain about missing headers (who puts a CSP on a 301?!?), so I would like to automate testing for them. We're already using testssl.sh for other tests, and it is showing the same headers I'm interested in, so this is appears to be the ideal tool for the job.
Problem is, it only outputs them if they are actually in the response. When testing multiple websites, it's a lot easier to grep the appropriate lines and show that in my report (like
grep Content-Security-Policy output.csv | grep -v $magic_constant
), than it is to grep the lines with 'Content-Security-Policy' figure out which ones are missing.I made a modification to the script so I can tell it to always outputs all headers, but I'm afraid haven't a clue how to turn this into a pull request. I do have a diff (against 3.1dev from today) though:
I'm using severity LOW as that was already in run_security_headers() but not used for any of the headers, and for the purpose of this script they aren't warnings or critical issues.