-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathmondoo-http-security.mql.yaml
132 lines (122 loc) · 5.87 KB
/
mondoo-http-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-http-security
name: Mondoo HTTP Security
version: 1.1.1
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: host
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
The Mondoo HTTP Security policy includes checks for ensuring the security of HTTP headers.
## Remote scan
Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.
For a complete list of providers run:
```bash
cnspec scan --help
```
### Scan a host
```bash
cnspec scan host <fqdn>
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Headers for HTTP/HTTPS communication
filters: asset.platform == 'host'
checks:
- uid: mondoo-http-security-x-content-type-options-nosniff
- uid: mondoo-http-security-content-security-policy
- uid: mondoo-http-security-obfuscate-server
- uid: mondoo-http-security-no-x-powered-by
- uid: mondoo-http-security-no-x-aspnet-version
- uid: mondoo-http-security-no-x-aspnetmvc-version
- uid: mondoo-http-security-no-public-key-pins
- title: Headers for HTTPS communication
filters: |
asset.platform == 'host'
tls.certificates != empty
checks:
- uid: mondoo-http-security-strict-transport-security
scoring_system: highest impact
queries:
- uid: mondoo-http-security-x-content-type-options-nosniff
title: Set X-Content-Type-Options HTTP header to 'nosniff'
mql: http.get.header.xContentTypeOptions == "nosniff"
docs:
desc: |
Avoid MIME Type sniffing by setting the 'X-Content-Type-Options' HTTP header to 'nosniff'
refs:
- url: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
title: MDN Web Docs X-Content-Type-Options
- url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
title: OWASP HTTP Security Response Headers Cheat Sheet
- uid: mondoo-http-security-content-security-policy
title: Set Content Security Policy (CSP) HTTP header
mql: http.get.header.params.keys.any('Content-Security-Policy')
docs:
desc: |
Use the Content Security Policy (CSP) HTTP header to mitigate against Cross-Site Scripting (XSS) and data injection attacks.
refs:
- url: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
title: MDN Web Docs Content Security Policy (CSP)
- uid: mondoo-http-security-strict-transport-security
title: Set Strict-Transport-Security (HSTS) HTTP header
mql: http.get.header.params.keys.any('Strict-Transport-Security')
docs:
desc: |
Use the Strict-Transport-Security (HSTS) to eliminate the need for a HTTP to HTTPS redirect and protect against man in the middle attacks.
refs:
- url: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
title: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
- uid: mondoo-http-security-obfuscate-server
title: Remove or obfuscate the Server header
mql: http.get.header.params.keys.none("Server") || http.get.header.params["Server"].map(downcase).none(_ == /nginx|microsoft|apache|lsws|openresty/)
docs:
desc: |
The X-Powered-By header exposes information about the server software. Remove it to reduce the attack surface.
refs:
- url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#server
title: OWASP HTTP Security Response Headers Cheat Sheet
- uid: mondoo-http-security-no-x-powered-by
title: Remove all X-Powered-By headers
mql: http.get.header.params.keys.none("X-Powered-By")
docs:
desc: |
The X-Powered-By header exposes information about the server software. Remove it to reduce the attack surface.
refs:
- url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-powered-by
title: OWASP HTTP Security Response Headers Cheat Sheet
- uid: mondoo-http-security-no-x-aspnet-version
title: Remove all X-AspNet-Version headers
mql: http.get.header.params.keys.none("X-AspNet-Version")
docs:
desc: |
The X-AspNet-Version header exposes information about the server software. Remove it to reduce the attack surface.
refs:
- url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-aspnet-version
title: OWASP HTTP Security Response Headers Cheat Sheet
- uid: mondoo-http-security-no-x-aspnetmvc-version
title: Remove all X-AspNetMvc-Version headers
mql: http.get.header.params.keys.none("X-AspNetMvc-Version")
docs:
desc: |
The X-AspNetMvc-Version header exposes information about the server software. Remove it to reduce the attack surface.
refs:
- url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-aspnetmvc-version
title: OWASP HTTP Security Response Headers Cheat Sheet
- uid: mondoo-http-security-no-public-key-pins
title: The header Public-Key-Pins is deprecated and should not be used
mql: http.get.header.params.keys.none("Public-Key-Pins")
docs:
desc: |
The Public-Key-Pins header is deprecated and should not be used anymore.
refs:
- url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#public-key-pins-hpkp
title: OWASP HTTP Security Response Headers Cheat Sheet