Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Split non-standard HTTP headers to non-standard and deprecated #3188

Open
stephanie0x00 opened this issue Jul 4, 2024 · 0 comments
Open
Labels
bits boefjes Issues related to boefjes tech-debt

Comments

@stephanie0x00
Copy link
Contributor

stephanie0x00 commented Jul 4, 2024

Describe the bug
All non-standard and deprecated HTTP headers are currently gathered into 1 finding (#3127). Ideally these should be split into two categories.

As discussed with @noamblitz the title of the finding is renamed to "KAT-NONSTANDARD-HEADERS" for all these headers to include the headers listed below. In the future it would be nice to have these split into two categories: Non-standard findings and deprecated findings.

Seeing that these headers are not longer required, they are however still not-standard. Maybe we should introduce a finding for those (if don't already have one) and raise that for all of these non-standard headers. The following not standard headers would warrant this I'd think:

* [X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)

* [X-Forwarded-Host](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)

* [X-Forwarded-Proto](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)

* [X-DNS-Prefetch-Control](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control)

* [X-Robots-Tag](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Robots-Tag)

There's also the deprecated headers that might warrant a similar warning

* [Pragma](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Pragma)

* [Warning](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Warning)

Originally posted by @stephanie0x00 in #3127 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bits boefjes Issues related to boefjes tech-debt
Projects
None yet
Development

No branches or pull requests

1 participant