srcclr / security-headers Goto Github PK

Refer to the disc here

Can we see how we can add the following HTTP headers to the tool as well. @CalebFenton will provide with the scoring guide for them.

• Access-Control-Allow-Origin
• X-Powered-By
• Content-Type: text/html; charset=utf-8
• Server

Refer to the disc here

We need to add the ability for users to be able to register a domain of their choice and receive daily/weekly/monthly emails for reports with grade.

We need to parse and check if the CSP header set on the site is valid, if it is not valid then we cannot score the individual directives.

Refer to the disc here

We should scan the domains in the following way

• First try to access http://domain.com, if that redirects to https then scan and grade as we do now
• If that doesn't redirect to https then instead of reporting Missing Strict-Transport-Security we can report TLS/SSL is not enabled (The connection to this web server is vulnerable to man-in-the-middle and eavesdropping attacks.). And still score it the same way as a missing HSTS header.
• If the user enters the full URL with https then we just scan that directly, if the user enters the full URL as http we do the same as above.

https://open.srcclr.com returns a 503 Service Unavailable error:

Python Error:

ProxyError: HTTPSConnectionPool(host='open.srcclr.com', port=443): Max retries exceeded with url: / (Caused by ProxyError('Cannot connect to proxy.', error('Tunnel connection failed: 503 Service Unavailable',))) (file "/usr/lib/python2.7/site-packages/requests/adapters.py", line 465, in send)

Chrome Error:

This site can’t be reached

The webpage at https://open.srcclr.com/ might be temporarily down or it may have moved permanently to a new web address.
ERR_TUNNEL_CONNECTION_FAILED