--- /dev/null
+
+\begin{enumerate}[label={11.\arabic*}]
+
+\item\fail{}
+Verify that the application accepts only a defined
+set of required HTTP request methods, such as
+GET and POST are accepted, and unused methods
+(e.g. TRACE, PUT, and DELETE) are explicitly
+blocked.
+\begin{result}
+ The application treats only \texttt{POST} requests as different from
+ others and in an opportunistic manner. It assumes all other methods to be
+ treated as \texttt{GET} requests.
+\end{result}
+
+\item\pass{}
+Verify that every HTTP response contains a
+content type header specifying a safe character set
+(e.g., UTF-8, ISO 8859-1).
+\begin{result}
+ Content type headers may be set anywhere in the application. Furthermure,
+ \texttt{Response::send} ensures that if no content type header is set, all
+ responses will fall back to using \texttt{text/html; charset=UTF-8}.
+\end{result}
+
+\notapplicable{\item
+Verify that HTTP headers added by a trusted proxy
+or SSO devices, such as a bearer token, are
+authenticated by the application.}
+
+% No proxies are present
+
+\item\fail{}
+Verify that a suitable X-FRAME-OPTIONS header is
+in use for sites where content should not be
+viewed in a 3rd-party X-Frame.
+\begin{result}
+ The application will never supply an \texttt{X-FRAME-OPTIONS} header. While
+ this is not really a problem for the home page, a 3rd party X-Frame should
+ not be able to refer to the administrative interfaces of the application.
+\end{result}
+
+\item\pass{}
+Verify that the HTTP headers or any part of the
+HTTP response do not expose detailed version
+information of system components.
+\begin{result}
+ The headers provide information about the PHP version (these are added by
+ the PHP interpreter by default) and information about the webserver. This
+ information is not specific for the application. It would be advisable to
+ hide the PHP version to the client, but this is specific to the way the
+ application is installed.
+\end{result}
+
+\item\pass{}
+\TODO \\
+Verify that all API responses contain X-Content-Type-Options:
+nosniff and Content-Disposition:
+attachment; filename="api.json" (or other
+appropriate filename for the content type).
+\begin{result}
+\end{result}
+
+\item\pass{}
+\TODO \\
+Verify that a content security policy (CSPv2) is in
+place that helps mitigate common DOM, XSS,
+JSON, and JavaScript injection vulnerabilities.
+\begin{result}
+\end{result}
+
+\item\pass{}
+\TODO \\
+Verify that the X-XSS-Protection: 1; mode=block
+header is in place to enable browser reflected XSS
+filters.
+\begin{result}
+\end{result}
+
+\end{enumerate}
repositories / ssproject1617.git / commitdiff