headers

package

v0.0.1-rc5 Latest Latest Go to latest Published: Apr 28, 2026 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/JoshuaMart/websec0

Links

Open Source Insights

Documentation ¶

Overview ¶

Package headers implements the HTTP-headers family of WebSec0 checks. All checks share a single homepage fetch via Target.CacheValue.

Index ¶

Constants
func Register(r *checks.Registry)
type CSP
- func ParseCSP(raw string) *CSP
type FetchResult
- func Fetch(ctx context.Context, t *checks.Target) (*FetchResult, error)
- func (f *FetchResult) AllHeaders(name string) []string
- func (f *FetchResult) Header(name string) string

Constants ¶

View Source

const (
	IDCSPMissing            = "HEADER-CSP-MISSING"
	IDCSPUnsafeInline       = "HEADER-CSP-UNSAFE-INLINE"
	IDCSPUnsafeEval         = "HEADER-CSP-UNSAFE-EVAL"
	IDCSPWildcardSrc        = "HEADER-CSP-WILDCARD-SRC" //#nosec G101 -- public check identifier, not a credential
	IDCSPNoObjectSrc        = "HEADER-CSP-NO-OBJECT-SRC"
	IDCSPNoBaseURI          = "HEADER-CSP-NO-BASE-URI"
	IDCSPNoFrameAncestors   = "HEADER-CSP-NO-FRAME-ANCESTORS"
	IDXCTOMissing           = "HEADER-XCTO-MISSING"
	IDXFOMissing            = "HEADER-XFO-MISSING"
	IDReferrerPolicyMissing = "HEADER-REFERRER-POLICY-MISSING"
	IDReferrerPolicyUnsafe  = "HEADER-REFERRER-POLICY-UNSAFE"
	IDPermissionsPolicyMiss = "HEADER-PERMISSIONS-POLICY-MISSING"
	IDFeaturePolicyDeprec   = "HEADER-FEATURE-POLICY-DEPRECATED"
	IDCOOPMissing           = "HEADER-COOP-MISSING"
	IDCOEPMissing           = "HEADER-COEP-MISSING"
	IDCORPMissing           = "HEADER-CORP-MISSING"
	IDReportingEndpointsNo  = "HEADER-REPORTING-ENDPOINTS-NONE"
	IDNELNone               = "HEADER-NEL-NONE"
	IDXSSProtectionDeprec   = "HEADER-XSS-PROTECTION-DEPRECATED"
	IDHPKPDeprecated        = "HEADER-HPKP-DEPRECATED"
	IDExpectCTDeprecated    = "HEADER-EXPECT-CT-DEPRECATED"
	IDInfoServer            = "HEADER-INFO-SERVER"
	IDInfoXPoweredBy        = "HEADER-INFO-X-POWERED-BY"
	IDInfoXAspNetVersion    = "HEADER-INFO-X-ASPNET-VERSION"
	IDInfoXGenerator        = "HEADER-INFO-X-GENERATOR"
	IDInfoServerTiming      = "HEADER-INFO-SERVER-TIMING"
)

Check IDs for the HTTP-headers family.

Variables ¶

This section is empty.

Functions ¶

func Register ¶

func Register(r *checks.Registry)

Register adds every HTTP-headers check to r.

Types ¶

type CSP ¶

type CSP struct {
	Raw        string
	Directives map[string][]string
}

CSP is the parsed Content-Security-Policy. Directive names are lowercased; tokens preserve their original case (case-sensitive in CSP).

func ParseCSP ¶

func ParseCSP(raw string) *CSP

ParseCSP returns nil when raw is empty. Multiple `;`-separated directives map onto one entry per name; a duplicate directive overrides per the spec — but we keep the first occurrence as the effective value (matches Chrome's behaviour and what `csp-evaluator` reports).

type FetchResult ¶

type FetchResult struct {
	Reachable bool
	URL       string
	Status    int
	// ProtoMajor / ProtoMinor capture the negotiated HTTP version
	// (e.g. 2/0 for HTTP/2). resp.Proto contains a "HTTP/2.0" string.
	ProtoMajor int
	ProtoMinor int
	Headers    http.Header
	Body       []byte
	Err        error
}

FetchResult is the captured homepage response.

func Fetch ¶

func Fetch(ctx context.Context, t *checks.Target) (*FetchResult, error)

Fetch performs a single HTTPS GET on the target's root and memoises the result on the Target.

func (*FetchResult) AllHeaders ¶

func (f *FetchResult) AllHeaders(name string) []string

AllHeaders returns every value of name. Some headers (Set-Cookie, CSP-Report-Only, etc.) may legitimately appear multiple times.

func (f *FetchResult) Header(name string) string

Header returns the first value of name (case-insensitive) or "".

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL