X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv11_httpsec.tex;h=1b0cc4fe3340bc76965d88bb6b1cc51b126911f5;hb=3c8879cf6599fdcea20ac18910260e929d65bec4;hp=bf075c6eb51f452f32fc381c191a626ce1944d74;hpb=25df7fe04a2582de5f4c5017b143a4c3e2276338;p=ssproject1617.git

diff --git a/report/v11_httpsec.tex b/report/v11_httpsec.tex
index bf075c6..1b0cc4f 100644
--- a/report/v11_httpsec.tex
+++ b/report/v11_httpsec.tex
@@ -1,31 +1,31 @@
 
-\begin{enumerate}[label={11.\arabic*}]
+\begin{enumerate}[label={V11.\arabic*}]
 
 \item\fail{}
 Verify that the application accepts only a defined
-set of required HTTP request methods, such as
-GET and POST are accepted, and unused methods
-(e.g. TRACE, PUT, and DELETE) are explicitly
+set of required \HTTP{} request methods, such as
+\GET{} and \POST{} are accepted, and unused methods
+(e.g. \TRACE{}, \PUT{}, and \DELETE{}) are explicitly
 blocked.
 \begin{result}
-    The application treats only \texttt{POST} requests as different from
+    The application treats only \POST{} requests as different from
     others and in an opportunistic manner. It assumes all other methods to be
-    treated as \texttt{GET} requests.
+	treated as \GET{} requests.
 \end{result}
 
 \item\pass{}
-Verify that every HTTP response contains a
+Verify that every \HTTP{} response contains a
 content type header specifying a safe character set
-(e.g., UTF-8, ISO 8859-1).
+(e.g., \emph{UTF-8}, \emph{ISO 8859{-}1}).
 \begin{result}
-    Content type headers may be set anywhere in the application. Furthermure,
-    \texttt{Response::send} ensures that if no content type header is set, all
-    responses will fall back to using \texttt{text/html; charset=UTF-8}.
+    Content type headers may be set anywhere in the application. Furthermure,\\
+    \code{Response::send} ensures that if no content type header is set, all
+    responses will fall back to using \code{text/html; charset=UTF-8}.
 \end{result}
 
 \notapplicable{\item
-Verify that HTTP headers added by a trusted proxy
-or SSO devices, such as a bearer token, are
+Verify that \HTTP{} headers added by a trusted proxy
+or \SSO{} devices, such as a bearer token, are
 authenticated by the application.}
 
 % No proxies are present
@@ -35,46 +35,47 @@ Verify that a suitable X-FRAME-OPTIONS header is
 in use for sites where content should not be
 viewed in a 3rd-party X-Frame.
 \begin{result}
-    The application will never supply an \texttt{X-FRAME-OPTIONS} header. While
+    The application will never supply an \code{X-FRAME-OPTIONS} header. While
     this is not really a problem for the home page, a 3rd party X-Frame should
-    not be able to refer to the administrative interfaces of the application.
+    not be able to refer to the administrative interfaces of the application
+    and this should be fixed.
 \end{result}
 
 \item\pass{}
-Verify that the HTTP headers or any part of the
-HTTP response do not expose detailed version
+Verify that the \HTTP{} headers or any part of the
+\HTTP{} response do not expose detailed version
 information of system components.
 \begin{result}
-    The headers provide information about the PHP version (these are added by
-    the PHP interpreter by default) and information about the webserver. This
+	The headers provide information about the \PHP{} version (these are added by
+	the \PHP{} interpreter by default) and information about the webserver. This
     information is not specific for the application. It would be advisable to
-    hide the PHP version to the client, but this is specific to the way the
+	hide the \PHP{} version to the client, but this is specific to the way the
     application is installed.
 \end{result}
 
-\item\pass{}
-\TODO \\
-Verify that all API responses contain X-Content-Type-Options:
-nosniff and Content-Disposition:
-attachment; filename="api.json" (or other
+\item\fail{}
+Verify that all \API{} responses contain \code{X-Content-Type-Options:
+nosniff} and\\
+\code{Content-Disposition: attachment; filename="api.json"} (or other
 appropriate filename for the content type).
 \begin{result}
+    The application does not supply the \code{X-Content-Type-Options} header.
 \end{result}
 
-\item\pass{}
-\TODO \\
+\item\fail{}
 Verify that a content security policy (CSPv2) is in
 place that helps mitigate common DOM, XSS,
 JSON, and JavaScript injection vulnerabilities.
 \begin{result}
+    There is no content security policy in place.
 \end{result}
 
-\item\pass{}
-\TODO \\
+\item\fail{}
 Verify that the X-XSS-Protection: 1; mode=block
-header is in place to enable browser reflected XSS
+header is in place to enable browser reflected \XSS{}
 filters.
 \begin{result}
+    The application does not supply the \code{X-XSS-Protection} header.
 \end{result}
 
 \end{enumerate}