Finetune returned "Missing HTTP Security Headers".
manuel-sommer opened this issue · comments
I would like to have a way to finetune humble in a way that only headers are checked according to my input.
e.g. if I don't want "NEL" to be implemented, I would like to skip it in the "missing HTTP Security Headers" section.
Hello!,
I've been thinking these days about your suggestion ... if I understood it correctly, you suggest to launch the analysis of a URL excluding, via parameter for example, the checks of several response headers (and by extension their checks at the level of values, directives, duplicity, etc).
Honestly, it does not seem to me a good idea from a security point of view. The purpose of this tool is precisely to give a complete view of the response headers of a URL.
If we purposely omit certain headers in the analysis, we will not be performing it in its entirety. Of course, each user using this tool is free to follow, or not, exactly the recommendations after the analysis! :). For example: there are some response headers that can be "experimental" since their adoption is not massive ... in these cases, I understand that their implementation can be bypassed. In other cases, a user may not agree with me with the values and directives that this tool considers "safe".
And speaking precisely about this: you have given me an idea! Perhaps it could be interesting to highlight in the results those "experimental" response headers according to, for example, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers ... I will think about it!
Thanks for your time!.
Best regards,
@rfc-st I hope this comment reaches you as you already closed this issue.
I have used https://github.com/Santandersecurityresearch/DrHeader in the past, but that scanner is not working very consistently, but one feature I really like is the capability to give an input file and the scan is done based on the input. https://github.com/Santandersecurityresearch/DrHeader/blob/master/tests/test_resources/default_rules.yml
I understand your opinion to provide a full picture, but in some scenarios you want to extend the number of findings iteratively what you provide to your stakeholders that you don't overwhelm them. Thus, I would really appreciate such a feature and I guess it will help the scanner to become more mature.
Hello!,
Let's not compare with other tools, which may be better, worse, more useful or different from this one. Let's talk about your needs.
What would be an example of your input with 'humble' and what would be the result you expect to get.
Help me understand your need.
Thanks!.
Hi @rfc-st,
yes, got your point.
So, basically I want to implement an automation around multiple vulnerability scanners and the capability to finetune them as I have different scenarios. The results of the vulnerability scanners will then be automatically uploaded to https://github.com/DefectDojo/django-DefectDojo. I would like to make a PR in DefectDojo to parse Humble findings.
In order to finetune Humble, I would like to have a way to skip one or multiple headers based on the scenario. Then, I will not parse findings to DefectDojo which do not belong to agreed scenarios between stakeholders.
Does this make sense?
Hello!,
I appreciate your interest in making the 'humble' results parseable by DefectDojo. I have reviewed your PR (#12) and, due to the multi-language features of my tool, I have to rethink almost from scratch the json generation to make it work smoothly in English and Spanish, based on the https://github.com/rfc-st/humble/tree/master/i10n definitions.
It will take me some time to do it; but initially it seems to me a good suggestion.
And about the possibility of excluding certain headers and their controls ... I still don't agree. And I continue with my previous arguments: the analysis of a URL (in my opinion) should be complete, regardless of subsequent actions taken, or not, to enable the necessary headers or modify their values/directives: you need to have the full 'picture'.
I still don't see, honestly, the overall value of running a security analysis of response headers excluding from the start several of them along with their checks of their values/directives.
Best regards,