@@ -3185,9 +3185,7 @@ run_cookie_flags() { # ARG1: Path
31853185
31863186
31873187run_security_headers() {
3188- local good_header="X-Frame-Options X-XSS-Protection X-Content-Type-Options Content-Security-Policy X-Content-Security-Policy X-WebKit-CSP Content-Security-Policy-Report-Only Expect-CT"
3189- local other_header="Access-Control-Allow-Origin Upgrade X-Served-By Referrer-Policy X-UA-Compatible Cache-Control Pragma"
3190- local header header_output
3188+ local header header_output svrty header_and_svrty
31913189 local first=true
31923190 local spaces=" "
31933191 local have_header=false
@@ -3197,36 +3195,43 @@ run_security_headers() {
31973195 fi
31983196
31993197 pr_bold " Security headers "
3200- for header in $good_header; do
3201- [[ "$DEBUG" -ge 5 ]] && echo "testing \"$header\""
3198+ # X-XSS-Protection is useless and at worst harmful, see https://news.ycombinator.com/item?id=20472947
3199+ for header_and_svrty in "X-Frame-Options OK" \
3200+ "X-Content-Type-Options OK" \
3201+ "Content-Security-Policy OK" \
3202+ "X-Content-Security-Policy OK" \
3203+ "X-WebKit-CSP OK" \
3204+ "Content-Security-Policy-Report-Only OK" \
3205+ "Expect-CT OK" \
3206+ "Permissions-Policy OK" \
3207+ "X-XSS-Protection LOW" \
3208+ "Access-Control-Allow-Origin INFO" \
3209+ "Upgrade INFO" \
3210+ "X-Served-By INFO" \
3211+ "Referrer-Policy INFO" \
3212+ "X-UA-Compatible Cache-Control INFO" \
3213+ "Pragma INFO"; do
3214+ read header svrty <<< "${header_and_svrty}"
3215+ [[ "$DEBUG" -ge 5 ]] && echo "testing \"$header\" (severity \"$svrty\")"
32023216 match_httpheader_key "$header" "$header" "$spaces" "$first"
32033217 if [[ $? -ge 1 ]]; then
32043218 have_header=true
32053219 if "$first"; then
32063220 first=false
32073221 fi
3222+ case "$svrty" in
3223+ OK) pr_svrty_good "$header" ;;
3224+ LOW) pr_svrty_low "$header" ;;
3225+ INFO) pr_litecyan "$header" ;;
3226+ esac
32083227 # Include $header when determining where to insert line breaks, but print $header
32093228 # separately.
3210- pr_svrty_good "$header"
3211- header_output="$(out_row_aligned_max_width "${header:2} $HEADERVALUE" "$spaces " $TERM_WIDTH)"
3229+ header_output="$(out_row_aligned_max_width "${header:2}: $HEADERVALUE" "$spaces " $TERM_WIDTH)"
32123230 outln "${header_output#${header:2}}"
3213- fileout "$header" "OK " "$HEADERVALUE"
3231+ fileout "$header" "$svrty " "$HEADERVALUE"
32143232 fi
32153233 done
32163234
3217- for header in $other_header; do
3218- [[ "$DEBUG" -ge 5 ]] && echo "testing \"$header\""
3219- match_httpheader_key "$header" "$header" "$spaces" "$first"
3220- if [[ $? -ge 1 ]]; then
3221- have_header=true
3222- if "$first"; then
3223- first=false
3224- fi
3225- pr_litecyan "$header"
3226- outln " $HEADERVALUE" # shouldn't be that long
3227- fileout "$header" "INFO" "$HEADERVALUE"
3228- fi
3229- done
32303235 #TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall" or Access-Control-Allow-Origin: *
32313236
32323237 if ! "$have_header"; then
0 commit comments