report/v11_httpsec.tex

   1
   2 \begin{enumerate}[label={V11.\arabic*}]
   3
   4 \item\fail{}
   5 Verify that the application accepts only a defined
   6 set of required HTTP request methods, such as
   7 GET and POST are accepted, and unused methods
   8 (e.g. TRACE, PUT, and DELETE) are explicitly
   9 blocked.
  10 \begin{result}
  11     The application treats only \texttt{POST} requests as different from
  12     others and in an opportunistic manner. It assumes all other methods to be
  13     treated as \texttt{GET} requests.
  14 \end{result}
  15
  16 \item\pass{}
  17 Verify that every HTTP response contains a
  18 content type header specifying a safe character set
  19 (e.g., UTF-8, ISO 8859-1).
  20 \begin{result}
  21     Content type headers may be set anywhere in the application. Furthermure,
  22     \texttt{Response::send} ensures that if no content type header is set, all
  23     responses will fall back to using \texttt{text/html; charset=UTF-8}.
  24 \end{result}
  25
  26 \notapplicable{\item
  27 Verify that HTTP headers added by a trusted proxy
  28 or SSO devices, such as a bearer token, are
  29 authenticated by the application.}
  30
  31 % No proxies are present
  32
  33 \item\fail{}
  34 Verify that a suitable X-FRAME-OPTIONS header is
  35 in use for sites where content should not be
  36 viewed in a 3rd-party X-Frame.
  37 \begin{result}
  38     The application will never supply an \texttt{X-FRAME-OPTIONS} header. While
  39     this is not really a problem for the home page, a 3rd party X-Frame should
  40     not be able to refer to the administrative interfaces of the application.
  41 \end{result}
  42
  43 \item\pass{}
  44 Verify that the HTTP headers or any part of the
  45 HTTP response do not expose detailed version
  46 information of system components.
  47 \begin{result}
  48     The headers provide information about the PHP version (these are added by
  49     the PHP interpreter by default) and information about the webserver. This
  50     information is not specific for the application. It would be advisable to
  51     hide the PHP version to the client, but this is specific to the way the
  52     application is installed.
  53 \end{result}
  54
  55 \item\fail{}
  56 Verify that all API responses contain X-Content-Type-Options:
  57 nosniff and Content-Disposition:
  58 attachment; filename="api.json" (or other
  59 appropriate filename for the content type).
  60 \begin{result}
  61     The application does not supply the \texttt{X-Content-Type-Options} header.
  62 \end{result}
  63
  64 \item\fail{}
  65 Verify that a content security policy (CSPv2) is in
  66 place that helps mitigate common DOM, XSS,
  67 JSON, and JavaScript injection vulnerabilities.
  68 \begin{result}
  69     There is no content security policy in place.
  70 \end{result}
  71
  72 \item\fail{}
  73 Verify that the X-XSS-Protection: 1; mode=block
  74 header is in place to enable browser reflected XSS
  75 filters.
  76 \begin{result}
  77     The application does not supply the \texttt{X-XSS-Protection} header.
  78 \end{result}
  79
  80 \end{enumerate}