Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Related Headers results in false positive when secure_headers gem is used #188

Open
monfresh opened this issue Jan 28, 2016 · 3 comments
Open

Security Related Headers results in false positive when secure_headers gem is used #188

monfresh opened this issue Jan 28, 2016 · 3 comments
Assignees
@thesp0nge
Labels
enhancement hacktoberfest

Comments

@monfresh
Copy link

In my app, I use the secure_headers gem, which takes care of all the issues reported by the Owasp Ror Cheatsheet Security Related Headers. It would be great if dawnscanner could check these two things:

  1. That the secure_headers gem is present in the app's Gemfile.lock

  2. That the application_controller.rb contains the following lines:

    include SecureHeaders
ensure_security_headers

If both of those conditions are met, then the Security Related Headers issue should not be reported.
@monfresh
Copy link
Author

Actually, ensure_security_headers has been removed in version 3.0 of secure_headers, so perhaps just making sure it's in Gemfile.lock is enough? Another thing that could be checked is that the default configuration hasn't been changed for these headers:

SecureHeaders::Configuration.default do |config|
  config.x_frame_options = "DENY"
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = "1; mode=block"
end

@thesp0nge thesp0nge added this to the v1-5-5 milestone Jan 28, 2016
@thesp0nge thesp0nge self-assigned this Jan 28, 2016
@jasnow
Copy link
Contributor

jasnow commented Feb 28, 2016

An issue for me too.

thesp0nge added a commit that referenced this issue Sep 27, 2016
@thesp0nge
Working on issue #188. Security header check is now a combo check with
2cd7889 
either a pattern matching control and a depedency check if secure_header
gem is present or not
@thesp0nge
Copy link
Owner

Can you try if this solve you issue?

@tmaier tmaier mentioned this issue Apr 23, 2018
Open
@thesp0nge thesp0nge removed this from the v1-7-0 milestone Apr 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thesp0nge thesp0nge

Labels
enhancement hacktoberfest
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jasnow @thesp0nge @monfresh