OWASP 10 Security issues

[gnewton]

OWASP 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project "The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are."

I applied a tool that tests for OWASP 10 vulnerabilities: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

It found a couple, mostly medium level. They involve some headers not being set:

• "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks."
• "Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server"
• "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."

Is there any chance the gowut.Server interface could allow setting the underlying http.Response.Header? i.e. setting one or more headers that are sent with every response?

The report for the tool is here: https://drive.google.com/file/d/0B9uNae3afGInUnI2VEI3aENVZEk/view?usp=sharing

[icza]

This is very easily doable, although current implementation does not support it.

Will add support for this.

[icza]

Implemented adding custom headers.

New methods in Server: SetHeader() and Header(). You can use these to set headers that will be added to all responses.

Changes are committed to the gowut.dev project, will be available in the next release.

Commit: https://github.com/icza/gowut.dev/commit/12e5c40b4c21d27674c4cdd906ff519ba410a5af

Thanks for reporting this.