report/v11_httpsec.tex

   1
   2 \begin{enumerate}[label={V11.\arabic*}]
   3
   4 \item\fail{}
   5 Verify that the application accepts only a defined
   6 set of required \HTTP{} request methods, such as
   7 \GET{} and \POST{} are accepted, and unused methods
   8 (e.g. \TRACE{}, \PUT{}, and \DELETE{}) are explicitly
   9 blocked.
  10 \begin{result}
  11     The application treats only \POST{} requests as different from
  12     others and in an opportunistic manner. It assumes all other methods to be
  13         treated as \GET{} requests.
  14 \end{result}
  15
  16 \item\pass{}
  17 Verify that every \HTTP{} response contains a
  18 content type header specifying a safe character set
  19 (e.g., \emph{UTF-8}, \emph{ISO 8859{-}1}).
  20 \begin{result}
  21     Content type headers may be set anywhere in the application. Furthermure,
  22     \code{Response::send} ensures that if no content type header is set, all
  23     responses will fall back to using \code{text/html; charset=UTF-8}.
  24 \end{result}
  25
  26 \notapplicable{\item
  27 Verify that \HTTP{} headers added by a trusted proxy
  28 or \SSO{} devices, such as a bearer token, are
  29 authenticated by the application.}
  30
  31 % No proxies are present
  32
  33 \item\fail{}
  34 Verify that a suitable X-FRAME-OPTIONS header is
  35 in use for sites where content should not be
  36 viewed in a 3rd-party X-Frame.
  37 \begin{result}
  38     The application will never supply an \code{X-FRAME-OPTIONS} header. While
  39     this is not really a problem for the home page, a 3rd party X-Frame should
  40     not be able to refer to the administrative interfaces of the application.
  41 \end{result}
  42
  43 \item\pass{}
  44 Verify that the \HTTP{} headers or any part of the
  45 \HTTP{} response do not expose detailed version
  46 information of system components.
  47 \begin{result}
  48         The headers provide information about the \PHP{} version (these are added by
  49         the \PHP{} interpreter by default) and information about the webserver. This
  50     information is not specific for the application. It would be advisable to
  51         hide the \PHP{} version to the client, but this is specific to the way the
  52     application is installed.
  53 \end{result}
  54
  55 \item\fail{}
  56 Verify that all \API{} responses contain \code{X-Content-Type-Options:
  57 nosniff} and\\
  58 \code{Content-Disposition: attachment; filename="api.json"} (or other
  59 appropriate filename for the content type).
  60 \begin{result}
  61     The application does not supply the \code{X-Content-Type-Options} header.
  62 \end{result}
  63
  64 \item\fail{}
  65 Verify that a content security policy (CSPv2) is in
  66 place that helps mitigate common DOM, XSS,
  67 JSON, and JavaScript injection vulnerabilities.
  68 \begin{result}
  69     There is no content security policy in place.
  70 \end{result}
  71
  72 \item\fail{}
  73 Verify that the X-XSS-Protection: 1; mode=block
  74 header is in place to enable browser reflected \XSS{}
  75 filters.
  76 \begin{result}
  77     The application does not supply the \code{X-XSS-Protection} header.
  78 \end{result}
  79
  80 \end{enumerate}