zhukov / webogram

Telegram web application, GPL v3
https://web.telegram.org
GNU General Public License v3.0
7.96k stars 2.35k forks source link

Security posture of Web Telegram Application #939

Open LancerLunatic opened 9 years ago

LancerLunatic commented 9 years ago

Good morning. I have evaluated your application's security posture. It is very secure. It covers all the accepted industry standards. There are only a few minor issues.

  1. Medium Risk: X-Frame-Options Header Not Set Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site(sitemap.xml and css/app.css are theo nly ones missing it) The options to set are Deny, Sameorigin, and allow-from. The option you choose will depend on the way you setup your frames.
  2. Low Risk: Incomplete or No cache-control and Pragma HTTP Header Set These headers havne't been properly configured or are missing allowing the browser and proxies to cache content.
  3. Web Browser XXS Protection Not Enabled. Cross site scripting is a very commonly used attack in major enterprise websites. It is on the OWASP Top 10 List. Configure XSS Protection throug hthe "x-xss protection" HTTP response header on the web server you are using. You can use x-xss protection 1:mode=block x-xss protection 1;report=http://https://webtelegram.org/* The browsers that support this function are IE, Chrome, and Safari
  4. X-Content-Type-Options Header Missing The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

I hope I was of help. I am still learning cyber security. I am a graduate student. Great work on this project !!

Ryuno-Ki commented 9 years ago

Current (early 2014)

cough What was your source, @LancerLunatic?

LancerLunatic commented 9 years ago

I used the website they have listed on their github page