bestpractices

package

v0.6.0 Latest Latest Go to latest Published: May 7, 2024 License: MIT Imports: 6 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cerberauth/vulnapi

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func CheckCORSAllowOrigin(operation *request.Operation, headers http.Header, r *report.ScanReport) bool
func HTTPCookiesScanHandler(operation *request.Operation, securityScheme auth.SecurityScheme) (*report.ScanReport, error)
func HTTPHeadersBestPracticesScanHandler(operation *request.Operation, ss auth.SecurityScheme) (*report.ScanReport, error)
func HTTPTraceMethodScanHandler(operation *request.Operation, ss auth.SecurityScheme) (*report.ScanReport, error)

Constants ¶

View Source

const (
	HTTPCookiesScanID   = "best_practices.http_cookies"
	HTTPCookiesScanName = "HTTP Cookies Best Practices"

	HTTPCookiesNotHTTPOnlySeverityLevel     = 0
	HTTPCookiesNotHTTPOnlyOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	HTTPCookiesNotHTTPOnlyVulnerabilityID   = "security_misconfiguration.http_cookies_not_http_only"
	HTTPCookiesNotHTTPOnlyVulnerabilityName = "Cookies not HTTP-Only"
	HTTPCookiesNotHTTPOnlyVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security"

	HTTPCookiesNotSecureSeverityLevel     = 0
	HTTPCookiesNotSecureOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	HTTPCookiesNotSecureVulnerabilityID   = "security_misconfiguration.http_cookies_not_secure"
	HTTPCookiesNotSecureVulnerabilityName = "Cookies not Secure"
	HTTPCookiesNotSecureVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security"

	HTTPCookiesSameSiteSeverityLevel     = 0
	HTTPCookiesSameSiteOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	HTTPCookiesSameSiteVulnerabilityID   = "security_misconfiguration.http_cookies_same_site"
	HTTPCookiesSameSiteVulnerabilityName = "Cookies SameSite not set or set to None"
	HTTPCookiesSameSiteVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value"

	HTTPCookiesExpiresSeverityLevel     = 0
	HTTPCookiesExpiresOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	HTTPCookiesExpiresVulnerabilityID   = "security_misconfiguration.http_cookies_expires"
	HTTPCookiesExpiresVulnerabilityName = "Cookies Expires not set"
	HTTPCookiesExpiresVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security"
)

View Source

const (
	CSPHTTPHeader                 = "Content-Security-Policy"
	HSTSHTTPHeader                = "Strict-Transport-Security"
	CORSOriginHTTPHeader          = "Access-Control-Allow-Origin"
	XContentTypeOptionsHTTPHeader = "X-Content-Type-Options"
	XFrameOptionsHTTPHeader       = "X-Frame-Options"
)

View Source

const (
	HTTPHeadersScanID   = "best_practices.http_headers"
	HTTPHeadersScanName = "HTTP Headers Best Practices"

	CSPHTTPHeaderIsNotSetSeverityLevel     = 0
	CSPHTTPHeaderISNotSetOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	CSPHTTPHeaderIsNotSetVulnerabilityID   = "security_misconfiguration.http_headers_csp_not_set"
	CSPHTTPHeaderIsNotSetVulnerabilityName = "CSP Header is not set"
	CSPHTTPHeaderIsNotSetVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"

	CSPHTTPHeaderFrameAncestorsIsNotSetSeverityLevel     = 0
	CSPHTTPHeaderFrameAncestorsIsNotSetOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	CSPHTTPHeaderFrameAncestorsIsNotSetVulnerabilityID   = "security_misconfiguration.http_headers_csp_frame_ancestors_not_set"
	CSPHTTPHeaderFrameAncestorsIsNotSetVulnerabilityName = "CSP frame-ancestors policy is not set"
	CSPHTTPHeaderFrameAncestorsIsNotSetVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors"

	HTSTHTTPHeaderIsNotSetSeverityLevel     = 0
	HTSTHTTPHeaderIsNotSetOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	HTSTHTTPHeaderIsNotSetVulnerabilityID   = "security_misconfiguration.http_headers_hsts_not_set"
	HSTSHTTPHeaderIsNotSetVulnerabilityName = "HSTS Header is not set"
	HSTSHTTPHeaderIsNotSetVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security"

	CORSHTTPHeaderIsNotSetSeverityLevel     = 0
	CORSHTTPHeaderIsNotSetOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	CORSHTTPHeaderIsNotSetVulnerabilityID   = "security_misconfiguration.http_headers_cors_not_set"
	CORSHTTPHeaderIsNotSetVulnerabilityName = "CORS Headers are not set"
	CORSHTTPHeaderIsNotSetVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"

	CORSHTTPHeaderIsPermisiveSeverityLevel     = 0
	CORSHTTPHeaderIsPermisiveOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	CORSHTTPHeaderIsPermisiveVulnerabilityID   = "security_misconfiguration.http_headers_cors_permissive"
	CORSHTTPHeaderIsPermisiveVulnerabilityName = "CORS Header is set but permissive"
	CORSHTTPHeaderIsPermisiveVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"

	XContentTypeOptionsHTTPHeaderIsNotSetSeverityLevel     = 0
	XContentTypeOptionsHTTPHeaderIsNotSetOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	XContentTypeOptionsHTTPHeaderIsNotSetVulnerabilityID   = "security_misconfiguration.http_headers_x_content_type_options_not_set"
	XContentTypeOptionsHTTPHeaderIsNotSetVulnerabilityName = "X-Content-Type-Options Header is not set"
	XContentTypeOptionsHTTPHeaderIsNotSetVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options"

	XFrameOptionsHTTPHeaderIsNotSetSeverityLevel     = 0
	XFrameOptionsHTTPHeaderIsNotSetOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	XFrameOptionsHTTPHeaderIsNotSetVulnerabilityID   = "security_misconfiguration.http_headers_x_frame_options_not_set"
	XFrameOptionsHTTPHeaderIsNotSetVulnerabilityName = "X-Frame-Options Header is not set"
	XFrameOptionsHTTPHeaderIsNotSetVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options"
)

View Source

const (
	HTTPTraceScanID   = "best_practices.http_trace"
	HTTPTraceScanName = "HTTP Trace Method Best Practices"

	HTTPTraceMethodSeverityLevel     = 0
	HTTPTraceMethodOWASP2023Category = report.OWASP2023SecurityMisconfigurationCategory
	HTTPTraceMethodVulnerabilityID   = "security_misconfiguration.http_trace_method"
	HTTPTraceMethodVulnerabilityName = "HTTP Trace Method enabled"
	HTTPTraceMethodVulnerabilityURL  = "https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/TRACE"
)

Variables ¶

This section is empty.

Functions ¶

func CheckCORSAllowOrigin ¶

func CheckCORSAllowOrigin(operation *request.Operation, headers http.Header, r *report.ScanReport) bool

func HTTPCookiesScanHandler ¶ added in v0.4.0

func HTTPCookiesScanHandler(operation *request.Operation, securityScheme auth.SecurityScheme) (*report.ScanReport, error)

func HTTPHeadersBestPracticesScanHandler ¶

func HTTPHeadersBestPracticesScanHandler(operation *request.Operation, ss auth.SecurityScheme) (*report.ScanReport, error)

func HTTPTraceMethodScanHandler ¶

func HTTPTraceMethodScanHandler(operation *request.Operation, ss auth.SecurityScheme) (*report.ScanReport, error)

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL