Closed bhubbard closed 7 years ago
ScottHelme
commented
8 years ago Would this be sufficient?
curl -I -X HEAD https://securityheaders.io/?q=https%3A%2F%2Fscotthelme.co.uk&followRedirects=on
HTTP/1.1 200 OK
Server: securityheaders.io
Date: Sat, 10 Sep 2016 09:56:42 GMT
...
X-Score: eyJzY29yZSI6IkErIiwgImNvbG91ciI6ImxpZ2h0Z3JlZW4ifQ==
X-Grade: A+
....
bhubbard
commented
8 years ago Yeah that should work, would be nice if it would return items in the JSON format though.
ScottHelme
commented
8 years ago If you base64 decode the X-Score header then there is some JSON data in there. I am looking at standing up an API endpoint to fetch the JSON data though :-)
ScottHelme
commented
7 years ago Let me know if the above solution was ok.
schnti
commented
7 years ago XMLHttpRequest cannot load https://securityheaders.io/?hide=on&followRedirects=on&q=http://neu.domain.de. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://neu.domain.de' is therefore not allowed access. The response had HTTP status code 405.
XSS isn't allowed.
ScottHelme
commented
7 years ago Interesting, what's sending the pre-flight? Can you give me a little info on the setup?
schnti
commented
7 years ago Via AJAX request
function securityheaders() {
$.ajax({
url : 'https://securityheaders.io/?hide=on&followRedirects=on&q=http://neu.domain.de',
type : "GET",
contentType : 'text/html',
success : function (data, textStatus, request) {
var header = JSON.parse(atob(request.getResponseHeader('X-Score')));
console.log(header);
var element = $('#securityheaders');
element.html(header['score']);
element.css('background-color', header['colour']);
},
error : function (error) {
console.log(error);
}
});
}
securityheaders();This is a typical CORS Problem: https://stackoverflow.com/a/20035319
ScottHelme
commented
7 years ago Yep... :(
Can you bug this as a new issue?
I think this tool is great and would love to see it offer an API.