report/v11_httpsec.tex

   1
   2 \begin{enumerate}[label={V11.\arabic*}]
   3
   4 \item\fail{}
   5 Verify that the application accepts only a defined
   6 set of required \HTTP{} request methods, such as
   7 \GET{} and \POST{} are accepted, and unused methods
   8 (e.g. \TRACE{}, \PUT{}, and \DELETE{}) are explicitly
   9 blocked.
  10 \begin{result}
  11     The application treats only \POST{} requests as different from
  12     others and in an opportunistic manner. It assumes all other methods to be
  13         treated as \GET{} requests.
  14 \end{result}
  15
  16 \item\pass{}
  17 Verify that every \HTTP{} response contains a
  18 content type header specifying a safe character set
  19 (e.g., \emph{UTF-8}, \emph{ISO 8859{-}1}).
  20 \begin{result}
  21     Content type headers may be set anywhere in the application. Furthermure,
  22     \code{Response::send} ensures that if no content type header is set, all
  23     responses will fall back to using \code{text/html; charset=UTF-8}.
  24 \end{result}
  25
  26 \notapplicable{\item
  27 Verify that \HTTP{} headers added by a trusted proxy
  28 or \SSO{} devices, such as a bearer token, are
  29 authenticated by the application.}
  30
  31 % No proxies are present
  32
  33 \item\fail{}
  34 Verify that a suitable X-FRAME-OPTIONS header is
  35 in use for sites where content should not be
  36 viewed in a 3rd-party X-Frame.
  37 \begin{result}
  38     The application will never supply an \code{X-FRAME-OPTIONS} header. While
  39     this is not really a problem for the home page, a 3rd party X-Frame should
  40     not be able to refer to the administrative interfaces of the application
  41     and this should be fixed.
  42 \end{result}
  43
  44 \item\pass{}
  45 Verify that the \HTTP{} headers or any part of the
  46 \HTTP{} response do not expose detailed version
  47 information of system components.
  48 \begin{result}
  49         The headers provide information about the \PHP{} version (these are added by
  50         the \PHP{} interpreter by default) and information about the webserver. This
  51     information is not specific for the application. It would be advisable to
  52         hide the \PHP{} version to the client, but this is specific to the way the
  53     application is installed.
  54 \end{result}
  55
  56 \item\fail{}
  57 Verify that all \API{} responses contain \code{X-Content-Type-Options:
  58 nosniff} and\\
  59 \code{Content-Disposition: attachment; filename="api.json"} (or other
  60 appropriate filename for the content type).
  61 \begin{result}
  62     The application does not supply the \code{X-Content-Type-Options} header.
  63 \end{result}
  64
  65 \item\fail{}
  66 Verify that a content security policy (CSPv2) is in
  67 place that helps mitigate common DOM, XSS,
  68 JSON, and JavaScript injection vulnerabilities.
  69 \begin{result}
  70     There is no content security policy in place.
  71 \end{result}
  72
  73 \item\fail{}
  74 Verify that the X-XSS-Protection: 1; mode=block
  75 header is in place to enable browser reflected \XSS{}
  76 filters.
  77 \begin{result}
  78     The application does not supply the \code{X-XSS-Protection} header.
  79 \end{result}
  80
  81 \end{enumerate}