minvws / nl-kat-coordination

Repo nl-kat-coordination for minvws

European Union Public License 1.2

121 stars 55 forks source link

HTTP header parsing from config #3189

Open stephanie0x00 opened 2 weeks ago

stephanie0x00 commented 2 weeks ago

Describe the issue The list of HTTP headers that we parse (for checking against non-standard and deprecation) is currently hardcoded. Ideally this should be read from a config file. A next step would be to create a scraper that takes this data from the Mozilla website to then feed it into KAT. That would introduce some other issues/questions wrg Mozilla making changes to their website and having to update our boefje every time.

Related tickets are:

2731

3188

underdarknl commented 2 weeks ago

https://owasp.org/www-project-secure-headers/

Owasp has machine readable lists of headers:

Collection of HTTP response security headers to add. could be ingested as part of an example config, but is opinionated when it comes to suggested values.
Collection of HTTP response headers to remove.