Open seffparker opened 2 years ago
Since http headers are case insentive, would it be more clear if Goss just lowercased it?
The yaml test file would have to be lowercase, but the challenge of guessing how Go mutates the headers would be gone.
Leaving this open. Making everything lowercase does fix the issue to some degree, but it is a breaking change for all existing users.
The challenge is go mutates the headers. I wonder if there's a way to skip that.. :thinking:
Describe the bug The HTTP header
X-XSS-Protection
which present does not match, and we have to either match the stringX-Xss-Protection
or use case-insensitive regex pattern like"/(?i:X-XSS-Protection: 1;mode=block)/"
How To Reproduce Apache conf:
HTTP headers:
Test rule:
Expected Behavior Test passed.
Actual Behavior
Environment: