search

mozilla / ssh_scan_api

An API for ssh_scan (https://github.com/mozilla/ssh_scan) and the backend API service for the Mozilla SSH Observatory (https://observatory.mozilla.org/)
31 stars 12 forks source link

Vulnerability Assessment Results (09/2017) #108

Closed claudijd closed 6 years ago

claudijd commented 6 years ago

We had a vulnerability assessment performed on ssh_scan_api. The results were relatively benign, but I'm creating an issue to track the findings...

  1. Add some additional web headers to the API

WARN-NEW: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 3 https://sshscan.rubidus.com/ https://sshscan.rubidus.com/robots.txt https://sshscan.rubidus.com

  1. Some TLS cipher improvements
claudijd commented 6 years ago

I believe the header complaints are false positives...

Cache-control: no-store Pragma: no-cache

^^^ is set on all the paths listed above.

claudijd commented 6 years ago

I'm not concerned about the cipher selections as they stand, so I'm closing this.