Skip to content

Http

Http

Class: Drutiny\Http\Audit\Http
Extends: Drutiny\Audit
Package: drutiny/http

NOTE: This Audit is abstract and cannot be used directly by a policy.

HttpHeaderExists

Class: Drutiny\Http\Audit\HttpHeaderExists
Extends: Drutiny\Http\Audit\Http
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
HTTP:Content-Security-Policy HTTP Content-Security-Policy
HTTP:HSTS HTTP HSTS
HTTP:ReferrerPolicy HTTP Referrer Policy
HTTP:X-Frame-Options HTTP X-Frame-Options

Parameters

Name Type Description Default
header string The HTTP header to check the value of. null

Tokens

Name Type Description Default
header string The HTTP header to check the value of. null
header_value string The value to check against. null

Source

  public function audit(Sandbox $sandbox)
  {
    $res = $this->getHttpResponse($sandbox);
    if ($has_header = $res->hasHeader($sandbox->getParameter('header'))) {
        $headers = $res->getHeader($sandbox->getParameter('header'));
        $sandbox->setParameter('header_value', $headers[0]);
    }
    return $has_header;
  }

HttpHeaderMatch

Class: Drutiny\Http\Audit\HttpHeaderMatch
Extends: Drutiny\Http\Audit\Http
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
Acquia:CloudEdgeCaching Cloud Edge Caching
HTTP:X-Content-Type-Options HTTP X-Content-Type-Options
HTTP:X-XSS-Protection HTTP X-XSS-Protection

Parameters

Name Type Description Default
header string The HTTP header to check the value of. null
header_value string The value to check against. null

Tokens

Name Type Description Default
header string The HTTP header to check the value of. null
header_value string The value to check against. null

Source

  public function audit(Sandbox $sandbox)
  {
    $value = $sandbox->getParameter('header_value');
    $res = $this->getHttpResponse($sandbox);
    $header = $sandbox->getParameter('header');

    if (!$res->hasHeader($header)) {
      return FALSE;
    }
    $headers = $res->getHeader($header);
    return $value == $headers[0];
  }

HttpHeaderNotExists

Class: Drutiny\Http\Audit\HttpHeaderNotExists
Extends: Drutiny\Http\Audit\HttpHeaderExists
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
HTTP:X-Drupal-Cache-Tags X-Drupal-Cache-Tags Header Disabled
HTTP:Authorization HTTP Authorization Disabled

Parameters

Name Type Description Default
header string The HTTP header to check the value of. null

Tokens

Name Type Description Default
header string The HTTP header to check the value of. null
header_value string The value to check against. null

Source

  public function audit(Sandbox $sandbox)
  {
    return !parent::audit($sandbox);
  }

HttpHeaderRegex

Class: Drutiny\Http\Audit\HttpHeaderRegex
Extends: Drutiny\Http\Audit\Http
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
HTTP:Cache-Control HTTP Cache-Control

Parameters

Name Type Description Default
header string The HTTP header to check the value of. null
regex string A regular expressions to validate the header value against. null

Tokens

Name Type Description Default
header string The HTTP header to check the value of. null
regex string A regular expressions to validate the header value against. null

Source

  public function audit(Sandbox $sandbox)
  {
    $regex = $sandbox->getParameter('regex');
    $regex = "/$regex/";
    $res = $this->getHttpResponse($sandbox);
    $header = $sandbox->getParameter('header');

    if (!$res->hasHeader($header)) {
      return FALSE;
    }
    $headers = $res->getHeader($header);
    return preg_match($regex, $headers[0]);
  }

HttpStatusCode

Class: Drutiny\Http\Audit\HttpStatusCode
Extends: Drutiny\Http\Audit\Http
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
HTTP:ValidSSL HTTPS Valid SSL Certificate

Parameters

Name Type Description Default
status_code string The expected status code from the HTTP response 200

Tokens

Name Type Description Default
status_code string The expected status code from the HTTP response 200

Source

  public function audit(Sandbox $sandbox)
  {
    $status_code = $sandbox->getParameter('status_code', 200);
    $res = $this->getHttpResponse($sandbox);
    return $status_code == $res->getStatusCode();
  }

HttpsRedirect

Class: Drutiny\Http\Audit\HttpsRedirect
Extends: Drutiny\Http\Audit\Http
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
HTTP:ForceHTTPS Force HTTPS

Source

  public function audit(Sandbox $sandbox)
  {
    $url = $sandbox->getParameter('url', $uri = $sandbox->getTarget()->uri());
    $url = strtr($url, [
      'https://' => 'http://',
    ]);
    $sandbox->setParameter('url', $url);
    $sandbox->setParameter('expected_location', strtr($url, [
      'http://' => 'https://',
    ]));

    // Ensure the redirect is not followed.
    $options = $sandbox->getParameter('options', []);
    $options['allow_redirects'] = FALSE;
    $sandbox->setParameter('options', $options);

    $res = $this->getHttpResponse($sandbox);

    if (!$res->hasHeader('Location')) {
      return FALSE;
    }
    if ($res->getStatusCode() < 300 || $res->getStatusCode() > 400) {
      return FALSE;
    }
    $headers = $res->getHeader('Location');

    $sandbox->setParameter('location', $headers[0]);

    return strpos($headers[0], 'https://') !== FALSE;
  }

SslAssertion

Class: Drutiny\Http\Audit\SslAssertion
Extends: Drutiny\Audit\AbstractAnalysis
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
SSL:DistrustedSymantecPKI Chrome distrusted Symantec PKI

Parameters

Name Type Description Default
host string The domain name to connect to. false
port integer The SSL port to connect to 443
expression string The expression language to evaludate. See https://symfony.com/doc/current/components/expression_language/syntax.html 'true'

Tokens

Name Type Description Default
host string The domain name to connect to. false
port integer The SSL port to connect to 443
expression string The expression language to evaludate. See https://symfony.com/doc/current/components/expression_language/syntax.html 'true'
cert array An multidimension array of representing the certificate info null

Source

  final public function audit(Sandbox $sandbox)
  {
    $this->gather($sandbox);
    $expressionLanguage = new ExpressionLanguage();
    $variables  = $sandbox->getParameterTokens();
    $sandbox->logger()->info(__CLASS__ . ': ' . Yaml::dump($variables));

    $expression = $sandbox->getParameter('not_applicable', 'false');
    $sandbox->logger()->info(__CLASS__ . ': ' . $expression);
    if ($expressionLanguage->evaluate($expression, $variables)) {
      return self::NOT_APPLICABLE;
    }

    $expression = $sandbox->getParameter('expression', 'true');
    $sandbox->logger()->info(__CLASS__ . ': ' . $expression);
    return $expressionLanguage->evaluate($expression, $variables);
  }