⭐️ add recommendations from OWASP HTTP Security Response Headers #427

chris-rock · 2024-08-08T21:27:07Z

This PR adds recommendations from OWASP http header recommendations.

Recommendation for removal or obfuscation of http Server header
Recommendation for removal of http header X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version and Public-Key-Pins

cnspec scan host google.com -f core/mondoo-http-security.mql.yaml

Asset: google.com
-----------------

Checks:
✕ Fail:       Set X-Content-Type-Options HTTP header to 'nosniff'
✓ Pass:       Remove all X-AspNetMvc-Version headers.
✕ Fail:       Set Content Security Policy (CSP) HTTP header
✓ Pass:       This header Public-Key-Pins is deprecated and should not be used anymore
✓ Pass:       Remove Server header or obfuscate it
✓ Pass:       Remove all X-Powered-By headers.
✓ Pass:       Remove all X-AspNet-Version headers.
✕ Fail:       Set Strict-Transport-Security (HSTS) HTTP header

core/mondoo-http-security.mql.yaml

Co-authored-by: Letha <[email protected]> Signed-off-by: Tim Smith <[email protected]>

misterpantz · 2024-08-22T15:34:08Z

Nice, clear descriptions! 🥇

⭐️ add recommendations from OWASP HTTP Security Response Headers

aa3a7a9

This comment has been minimized.

Sign in to view

🧹 update spell check

92d1419