X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv11_httpsec.tex;h=1b0cc4fe3340bc76965d88bb6b1cc51b126911f5;hb=3c8879cf6599fdcea20ac18910260e929d65bec4;hp=18400595d66acbbe2ec05227cf21ac40fe830dc0;hpb=b4eaf4d5efb8cea0c57c5d14be25ff38c1deeb2d;p=ssproject1617.git diff --git a/report/v11_httpsec.tex b/report/v11_httpsec.tex index 1840059..1b0cc4f 100644 --- a/report/v11_httpsec.tex +++ b/report/v11_httpsec.tex @@ -3,29 +3,29 @@ \item\fail{} Verify that the application accepts only a defined -set of required HTTP request methods, such as -GET and POST are accepted, and unused methods -(e.g. TRACE, PUT, and DELETE) are explicitly +set of required \HTTP{} request methods, such as +\GET{} and \POST{} are accepted, and unused methods +(e.g. \TRACE{}, \PUT{}, and \DELETE{}) are explicitly blocked. \begin{result} - The application treats only \texttt{POST} requests as different from + The application treats only \POST{} requests as different from others and in an opportunistic manner. It assumes all other methods to be - treated as \texttt{GET} requests. + treated as \GET{} requests. \end{result} \item\pass{} -Verify that every HTTP response contains a +Verify that every \HTTP{} response contains a content type header specifying a safe character set -(e.g., UTF-8, ISO 8859-1). +(e.g., \emph{UTF-8}, \emph{ISO 8859{-}1}). \begin{result} - Content type headers may be set anywhere in the application. Furthermure, - \texttt{Response::send} ensures that if no content type header is set, all - responses will fall back to using \texttt{text/html; charset=UTF-8}. + Content type headers may be set anywhere in the application. Furthermure,\\ + \code{Response::send} ensures that if no content type header is set, all + responses will fall back to using \code{text/html; charset=UTF-8}. \end{result} \notapplicable{\item -Verify that HTTP headers added by a trusted proxy -or SSO devices, such as a bearer token, are +Verify that \HTTP{} headers added by a trusted proxy +or \SSO{} devices, such as a bearer token, are authenticated by the application.} % No proxies are present @@ -35,30 +35,31 @@ Verify that a suitable X-FRAME-OPTIONS header is in use for sites where content should not be viewed in a 3rd-party X-Frame. \begin{result} - The application will never supply an \texttt{X-FRAME-OPTIONS} header. While + The application will never supply an \code{X-FRAME-OPTIONS} header. While this is not really a problem for the home page, a 3rd party X-Frame should - not be able to refer to the administrative interfaces of the application. + not be able to refer to the administrative interfaces of the application + and this should be fixed. \end{result} \item\pass{} -Verify that the HTTP headers or any part of the -HTTP response do not expose detailed version +Verify that the \HTTP{} headers or any part of the +\HTTP{} response do not expose detailed version information of system components. \begin{result} - The headers provide information about the PHP version (these are added by - the PHP interpreter by default) and information about the webserver. This + The headers provide information about the \PHP{} version (these are added by + the \PHP{} interpreter by default) and information about the webserver. This information is not specific for the application. It would be advisable to - hide the PHP version to the client, but this is specific to the way the + hide the \PHP{} version to the client, but this is specific to the way the application is installed. \end{result} \item\fail{} -Verify that all API responses contain X-Content-Type-Options: -nosniff and Content-Disposition: -attachment; filename="api.json" (or other +Verify that all \API{} responses contain \code{X-Content-Type-Options: +nosniff} and\\ +\code{Content-Disposition: attachment; filename="api.json"} (or other appropriate filename for the content type). \begin{result} - The application does not supply the \texttt{X-Content-Type-Options} header. + The application does not supply the \code{X-Content-Type-Options} header. \end{result} \item\fail{} @@ -71,10 +72,10 @@ JSON, and JavaScript injection vulnerabilities. \item\fail{} Verify that the X-XSS-Protection: 1; mode=block -header is in place to enable browser reflected XSS +header is in place to enable browser reflected \XSS{} filters. \begin{result} - The application does not supply the \texttt{X-XSS-Protection} header. + The application does not supply the \code{X-XSS-Protection} header. \end{result} \end{enumerate}