From 573a15c87f1be7dd0d62790e4d068aa1964f5e27 Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Fri, 23 Aug 2024 18:20:59 +0200 Subject: [PATCH] =?UTF-8?q?=E2=AD=90=EF=B8=8F=20add=20recommendations=20fr?= =?UTF-8?q?om=20OWASP=20HTTP=20Security=20Response=20Headers=20(#427)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR adds recommendations from [OWASP http header recommendations](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html). - Recommendation for removal or obfuscation of http `Server` header - Recommendation for removal of http header `X-Powered-By`, `X-AspNet-Version`, `X-AspNetMvc-Version` and `Public-Key-Pins` ``` cnspec scan host google.com -f core/mondoo-http-security.mql.yaml Asset: google.com ----------------- Checks: ✕ Fail: Set X-Content-Type-Options HTTP header to 'nosniff' ✓ Pass: Remove all X-AspNetMvc-Version headers. ✕ Fail: Set Content Security Policy (CSP) HTTP header ✓ Pass: This header Public-Key-Pins is deprecated and should not be used anymore ✓ Pass: Remove Server header or obfuscate it ✓ Pass: Remove all X-Powered-By headers. ✓ Pass: Remove all X-AspNet-Version headers. ✕ Fail: Set Strict-Transport-Security (HSTS) HTTP header ``` --------- Signed-off-by: Tim Smith Co-authored-by: Tim Smith Co-authored-by: Letha --- .github/actions/spelling/expect.txt | 3 ++ core/mondoo-http-security.mql.yaml | 52 +++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index 59a0dd85..46f173c1 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -98,11 +98,13 @@ logouts Lsa Lsass lsetxattr +lsws marcellus MLE moonbase mpim MRx +Mvc mydb mysupersecretpasswordforthemasteruser nameid @@ -118,6 +120,7 @@ oidc OMHVGHACB opasswd openat +openresty openssh openssl opensuse diff --git a/core/mondoo-http-security.mql.yaml b/core/mondoo-http-security.mql.yaml index 9d6f7a06..479f5a59 100644 --- a/core/mondoo-http-security.mql.yaml +++ b/core/mondoo-http-security.mql.yaml @@ -45,6 +45,11 @@ policies: checks: - uid: mondoo-http-security-x-content-type-options-nosniff - uid: mondoo-http-security-content-security-policy + - uid: mondoo-http-security-obfuscate-server + - uid: mondoo-http-security-no-x-powered-by + - uid: mondoo-http-security-no-x-aspnet-version + - uid: mondoo-http-security-no-x-aspnetmvc-version + - uid: mondoo-http-security-no-public-key-pins - title: Headers for HTTPS communication filters: | asset.platform == 'host' @@ -62,6 +67,8 @@ queries: refs: - url: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options title: MDN Web Docs X-Content-Type-Options + - url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection + title: OWASP HTTP Security Response Headers Cheat Sheet - uid: mondoo-http-security-content-security-policy title: Set Content Security Policy (CSP) HTTP header mql: http.get.header.params.keys.any('Content-Security-Policy') @@ -80,3 +87,48 @@ queries: refs: - url: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP title: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security + - uid: mondoo-http-security-obfuscate-server + title: Remove or obfuscate the Server header + mql: http.get.header.params.keys.none("Server") || http.get.header.params["Server"].map(downcase).none(_ == /nginx|microsoft|apache|lsws|openresty/) + docs: + desc: | + The X-Powered-By header exposes information about the server software. Remove it to reduce the attack surface. + refs: + - url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#server + title: OWASP HTTP Security Response Headers Cheat Sheet + - uid: mondoo-http-security-no-x-powered-by + title: Remove all X-Powered-By headers + mql: http.get.header.params.keys.none("X-Powered-By") + docs: + desc: | + The X-Powered-By header exposes information about the server software. Remove it to reduce the attack surface. + refs: + - url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-powered-by + title: OWASP HTTP Security Response Headers Cheat Sheet + - uid: mondoo-http-security-no-x-aspnet-version + title: Remove all X-AspNet-Version headers + mql: http.get.header.params.keys.none("X-AspNet-Version") + docs: + desc: | + The X-AspNet-Version header exposes information about the server software. Remove it to reduce the attack surface. + refs: + - url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-aspnet-version + title: OWASP HTTP Security Response Headers Cheat Sheet + - uid: mondoo-http-security-no-x-aspnetmvc-version + title: Remove all X-AspNetMvc-Version headers + mql: http.get.header.params.keys.none("X-AspNetMvc-Version") + docs: + desc: | + The X-AspNetMvc-Version header exposes information about the server software. Remove it to reduce the attack surface. + refs: + - url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-aspnetmvc-version + title: OWASP HTTP Security Response Headers Cheat Sheet + - uid: mondoo-http-security-no-public-key-pins + title: The header Public-Key-Pins is deprecated and should not be used + mql: http.get.header.params.keys.none("Public-Key-Pins") + docs: + desc: | + The Public-Key-Pins header is deprecated and should not be used anymore. + refs: + - url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#public-key-pins-hpkp + title: OWASP HTTP Security Response Headers Cheat Sheet \ No newline at end of file