drutiny/http
HTTP Authorization Disabled
Name: HTTP:Authorization
Package: drutiny/http
Class: \Drutiny\Http\Audit\HttpHeaderNotExists
The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header.
Authorization headers can bypass page caching strategies which can detrack from performance.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| header | string | The HTTP header to check the value of. | Authorization |
HTTP Cache-Control
Name: HTTP:Cache-Control
Package: drutiny/http
Class: \Drutiny\Http\Audit\HttpHeaderRegex
Cache-Control header informs reverse proxies and browsers how to cache your
web page for performance reasons. A cacheable page should also contain the
max-age directive. E.g. max-age=600; public.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| header | string | The HTTP header to check the value of. | Cache-Control |
| regex | string | A regular expressions to validate the header value against. | max-age= |
HTTP Content-Security-Policy
Name: HTTP:Content-Security-Policy
Package: drutiny/http
Class: \Drutiny\Http\Audit\HttpHeaderExists
Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| header | string | The HTTP header to check the value of. | Content-Security-Policy |
Force HTTPS
Name: HTTP:ForceHTTPS
Package: drutiny/http
Class: \Drutiny\Http\Audit\HttpsRedirect
Ensure attempts to http redirect the user to an HTTPS URL. This ensures no content is ever served over an insecure connection which is considered a best practice.
HTTP HSTS
Name: HTTP:HSTS
Package: drutiny/http
Class: \Drutiny\Http\Audit\HttpHeaderExists
HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| header | string | The HTTP header to check the value of. | Strict-Transport-Security |
HTTP Referrer Policy
Name: HTTP:ReferrerPolicy
Package: drutiny/http
Class: \Drutiny\Http\Audit\HttpHeaderExists
Referrer Policy is a header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| header | string | The HTTP header to check the value of. | Referrer-Policy |
HTTPS Valid SSL Certificate
Name: HTTP:ValidSSL
Package: drutiny/http
Class: \Drutiny\Http\Audit\HttpStatusCode
Ensure https requests over a valid SSL connection. This validates the SSL certficiate and chain authority to ensure browsers will also be able to trust this connection.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| force_ssl | true |
HTTP X-Content-Type-Options
Name: HTTP:X-Content-Type-Options
Package: drutiny/http
Class: \Drutiny\Http\Audit\HttpHeaderMatch
X-Content-Type-Options
stops a browser from trying to MIME-sniff the content type and forces it to
stick with the declared content-type. The only valid value for this header is
X-Content-Type-Options: nosniff.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| header | string | The HTTP header to check the value of. | X-Content-Type-Options |
| header_value | string | The value to check against. | nosniff |
HTTP X-Frame-Options
Name: HTTP:X-Frame-Options
Package: drutiny/http
Class: \Drutiny\Http\Audit\HttpHeaderExists
X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| header | string | The HTTP header to check the value of. | X-Frame-Options |
HTTP X-XSS-Protection
Name: HTTP:X-XSS-Protection
Package: drutiny/http
Class: \Drutiny\Http\Audit\HttpHeaderMatch
X-XSS-Protection
sets the configuration for the cross-site scripting filters built into most
browsers. The best configuration is X-XSS-Protection: 1; mode=block.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| header | string | The HTTP header to check the value of. | X-XSS-Protection |
| header_value | string | The value to check against. | '1; mode=block' |
Chrome distrusted Symantec PKI
Name: SSL:DistrustedSymantecPKI
Package: drutiny/http
Class: \Drutiny\Http\Audit\SslAssertion
At the end of July 2018, the Chrome team and PKI community plan to reduce, and remove, trust in Symantec’s infrastructure in order to uphold users’ security and privacy when browsing the web. SSL/TLS certificates from the Legacy Symantec PKI issued after December 1, 2017 will no longer be trusted.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| expression | string | The expression language to evaludate. See https://symfony.com/doc/current/components/expression_language/syntax.html | "not (cert[\"issuer\"][\"O\"] in [\"DigiCert Inc\", \"thawte, Inc.\", \"GeoTrust Inc.\"]\nand cert[\"validFrom_time_t\"] < 1512039600)\n" |