Documentation
¶
Index ¶
Constants ¶
View Source
const HSTSMinMaxAge = 15768000
HSTSMinMaxAge is the minimum recommended max-age (6 months in seconds)
Variables ¶
View Source
var CSPBroadSources = []string{
"https:",
"http:",
"*",
}
CSP directives that are too broad
View Source
var CSPCriticalDirectives = []string{
"script-src",
"object-src",
"default-src",
}
CSP critical directives that should be defined
View Source
var CSPUnsafeValues = []string{
"'unsafe-inline'",
"'unsafe-eval'",
"data:",
"blob:",
}
CSP directives that should be restricted
View Source
var CSRFCookieNames = []string{
"csrf",
"csrftoken",
"_csrf",
"xsrf",
"xsrf-token",
"_xsrf",
"antiforgery",
"__requestverificationtoken",
}
CSRFCookieNames contains common CSRF token cookie name patterns
View Source
var CacheHeaders = []string{
"Cache-Control",
"Pragma",
"Last-Modified",
"Expires",
"ETag",
}
CacheHeaders are headers related to caching
View Source
var InformationHeaders = []string{
"X-Powered-By",
"Server",
"X-AspNet-Version",
"X-AspNetMvc-Version",
}
InformationHeaders are headers that might disclose sensitive information
View Source
var ReferrerPolicyPrivate = []string{
"no-referrer",
"same-origin",
"strict-origin",
"strict-origin-when-cross-origin",
}
ReferrerPolicyPrivate contains secure referrer policy values
View Source
var ReferrerPolicyUnsafe = []string{
"unsafe-url",
"origin",
"origin-when-cross-origin",
"no-referrer-when-downgrade",
}
ReferrerPolicyUnsafe contains unsafe referrer policy values
View Source
var SecurityHeaders = map[string]string{
"X-XSS-Protection": "deprecated",
"X-Frame-Options": "warning",
"X-Content-Type-Options": "warning",
"Strict-Transport-Security": "error",
"Content-Security-Policy": "warning",
"X-Permitted-Cross-Domain-Policies": "deprecated",
"Referrer-Policy": "warning",
"Expect-CT": "deprecated",
"Permissions-Policy": "warning",
"Cross-Origin-Embedder-Policy": "warning",
"Cross-Origin-Resource-Policy": "warning",
"Cross-Origin-Opener-Policy": "warning",
}
SecurityHeaders defines the security headers to check with their severity level
View Source
var SessionCookieNames = []string{
"session",
"sessionid",
"sess",
"sid",
"phpsessid",
"jsessionid",
"aspsessionid",
"asp.net_sessionid",
"cfid",
"cftoken",
"auth",
"token",
"jwt",
"access_token",
"refresh_token",
}
SessionCookieNames contains common session cookie name patterns
Functions ¶
This section is empty.
Types ¶
type CORSInfo ¶
type CORSInfo struct {
AllowOrigin string `json:"allow_origin,omitempty"`
AllowCredentials bool `json:"allow_credentials"`
AllowMethods string `json:"allow_methods,omitempty"`
AllowHeaders string `json:"allow_headers,omitempty"`
Issues []string `json:"issues,omitempty"`
}
CORSInfo contains CORS configuration analysis
type Checker ¶
type Checker struct {
// contains filtered or unexported fields
}
Checker is the main security header checker
func (*Checker) CheckAllWithProgress ¶
func (c *Checker) CheckAllWithProgress(targets []string, onProgress ProgressCallback) []*Result
CheckAllWithProgress checks multiple targets concurrently with progress callback
type CookieInfo ¶
type CookieInfo struct {
Name string `json:"name"`
Secure bool `json:"secure"`
HttpOnly bool `json:"http_only"`
SameSite string `json:"same_site"` // Strict, Lax, None, or empty
Path string `json:"path,omitempty"`
Issues []string `json:"issues,omitempty"`
}
CookieInfo contains information about a cookie's security
type HeaderInfo ¶
type HeaderInfo struct {
Name string `json:"name"`
Value string `json:"value"`
Status string `json:"status,omitempty"` // ok, warning, error
Severity string `json:"severity,omitempty"` // for missing headers
Issues []string `json:"issues,omitempty"` // specific issues found
}
HeaderInfo contains information about a header
type ObservatoryScoring ¶
type ObservatoryScoring struct {
CSPMissing int // -25
CSPUnsafeInline int // -20
CSPUnsafeEval int // -10
CookiesSecureAll int // +5 (bonus)
CookiesSessionNoSecure int // -40
CookiesSessionNoHttpOnly int // -30
CookiesNoSecure int // -20
CookiesNoSecureWithHSTS int // -5
CORSWildcardCritical int // -50
ReferrerPrivate int // +5 (bonus)
ReferrerUnsafe int // -5
HSTSMissingHTTPS int // -20
HSTSShortMaxAge int // -10
HSTSPreload int // +5 (bonus)
SRIMissing int // -5
SRIPresent int // +5 (bonus)
XCTOMissing int // -5
XCTOInvalid int // -5
XFOPresent int // +5 (bonus)
XFOMissing int // -20
XFOInvalid int // -20
CORPSameOrigin int // +10 (bonus)
CORPInvalid int // -5
}
ObservatoryScoring defines the scoring rules for each header/configuration
type Options ¶
type Options struct {
CustomHeaders map[string]string
Port string
Cookie string
Method string
ProxyURL string
Timeout int
Workers int
DisableSSL bool
JSONOutput bool
ShowInfo bool
ShowCache bool
ShowDeprecated bool
ShowCookies bool
ShowCORS bool
ShowRedirection bool
FollowRedirects bool
}
Options contains the configuration for the checker
type ProgressCallback ¶
ProgressCallback is called when a check completes
type RedirectionInfo ¶
type RedirectionInfo struct {
FromURL string `json:"from_url"`
ToURL string `json:"to_url"`
IsHTTPS bool `json:"is_https"`
HopsCount int `json:"hops_count"`
Issues []string `json:"issues,omitempty"`
}
RedirectionInfo contains redirection analysis
type Result ¶
type Result struct {
AllHeaders http.Header `json:"all_headers,omitempty"`
Target string `json:"target"`
EffectiveURL string `json:"effective_url"`
Error string `json:"error,omitempty"`
PresentHeaders []HeaderInfo `json:"present_headers"`
MissingHeaders []HeaderInfo `json:"missing_headers"`
InfoHeaders []HeaderInfo `json:"info_headers,omitempty"`
CacheHeaders []HeaderInfo `json:"cache_headers,omitempty"`
Cookies []CookieInfo `json:"cookies,omitempty"`
CORS *CORSInfo `json:"cors,omitempty"`
Redirection *RedirectionInfo `json:"redirection,omitempty"`
StatusCode int `json:"status_code"`
SafeCount int `json:"safe_count"`
UnsafeCount int `json:"unsafe_count"`
Score int `json:"score"`
Grade string `json:"grade"`
ScoreRules []ScoreRule `json:"score_rules,omitempty"`
}
Result contains the analysis result for a target
type ScoreRule ¶
type ScoreRule struct {
Description string `json:"description"`
Modifier int `json:"modifier"` // positive for bonus, negative for penalty
Applied bool `json:"applied"` // whether it was actually applied (for bonuses that require score >= 90)
}
ScoreRule represents a scoring rule that was applied
Source Files
Click to show internal directories.
Click to hide internal directories.