Skip to content

Instantly share code, notes, and snippets.

@philly-vanilly
Created August 11, 2018 20:10
Show Gist options
  • Save philly-vanilly/4b8dfc27f3173fda2e8033eca2fb08ee to your computer and use it in GitHub Desktop.
Save philly-vanilly/4b8dfc27f3173fda2e8033eca2fb08ee to your computer and use it in GitHub Desktop.
observatory audit two
{
"scan": {
"grade": "B",
"likelihood_indicator": "MEDIUM",
"response_headers": {
"Connection": "keep-alive",
"Content-Encoding": "gzip",
"Content-Security-Policy": "frame-ancestors 'none'",
"Content-Type": "text/html",
"Date": "Sat, 11 Aug 2018 16:58:51 GMT",
"ETag": "W/\"5b6ebb6e-245\"",
"Last-Modified": "Sat, 11 Aug 2018 10:33:18 GMT",
"Server": "nginx",
"Strict-Transport-Security": "max-age=31536000; includeSubdomains",
"Transfer-Encoding": "chunked",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY"
},
"score": 75,
"tests_failed": 2,
"tests_passed": 10,
"tests_quantity": 12
},
"tests": {
"content-security-policy": {
"data": {
"frame-ancestors": [
"'none'"
]
},
"expectation": "csp-implemented-with-no-unsafe",
"http": true,
"meta": false,
"pass": false,
"policy": {
"antiClickjacking": true,
"defaultNone": false,
"insecureBaseUri": true,
"insecureFormAction": true,
"insecureSchemeActive": false,
"insecureSchemePassive": false,
"strictDynamic": false,
"unsafeEval": false,
"unsafeInline": true,
"unsafeInlineStyle": true,
"unsafeObjects": true
},
"result": "csp-implemented-with-unsafe-inline",
"score_description": "Content Security Policy (CSP) implemented unsafely. This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.",
"score_modifier": -20
},
"contribute": {
"data": null,
"expectation": "contribute-json-only-required-on-mozilla-properties",
"pass": true,
"result": "contribute-json-only-required-on-mozilla-properties",
"score_description": "Contribute.json isn't required on websites that don't belong to Mozilla",
"score_modifier": 0
},
"cookies": {
"data": null,
"expectation": "cookies-secure-with-httponly-sessions",
"pass": true,
"result": "cookies-not-found",
"sameSite": null,
"score_description": "No cookies detected",
"score_modifier": 0
},
"cross-origin-resource-sharing": {
"data": {
"acao": null,
"clientaccesspolicy": null,
"crossdomain": null
},
"expectation": "cross-origin-resource-sharing-not-implemented",
"pass": true,
"result": "cross-origin-resource-sharing-not-implemented",
"score_description": "Content is not visible via cross-origin resource sharing (CORS) files or headers",
"score_modifier": 0
},
"public-key-pinning": {
"data": null,
"expectation": "hpkp-not-implemented",
"includeSubDomains": false,
"max-age": null,
"numPins": null,
"pass": true,
"preloaded": false,
"result": "hpkp-not-implemented",
"score_description": "HTTP Public Key Pinning (HPKP) header not implemented",
"score_modifier": 0
},
"redirection": {
"destination": "https://localhost/",
"expectation": "redirection-to-https",
"pass": true,
"redirects": true,
"result": "redirection-to-https",
"route": [
"http://localhost/",
"https://localhost/"
],
"score_description": "Initial redirection is to HTTPS on same host, final destination is HTTPS",
"score_modifier": 0,
"status_code": 200
},
"referrer-policy": {
"data": null,
"expectation": "referrer-policy-private",
"http": false,
"meta": false,
"pass": true,
"result": "referrer-policy-not-implemented",
"score_description": "Referrer-Policy header not implemented",
"score_modifier": 0
},
"strict-transport-security": {
"data": "max-age=31536000; includeSubdomains",
"expectation": "hsts-implemented-max-age-at-least-six-months",
"includeSubDomains": true,
"max-age": 31536000,
"pass": true,
"preload": false,
"preloaded": false,
"result": "hsts-implemented-max-age-at-least-six-months",
"score_description": "HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000)",
"score_modifier": 0
},
"subresource-integrity": {
"data": {},
"expectation": "sri-implemented-and-external-scripts-loaded-securely",
"pass": true,
"result": "sri-not-implemented-but-all-scripts-loaded-from-secure-origin",
"score_description": "Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin",
"score_modifier": 0
},
"x-content-type-options": {
"data": "nosniff",
"expectation": "x-content-type-options-nosniff",
"pass": true,
"result": "x-content-type-options-nosniff",
"score_description": "X-Content-Type-Options header set to \"nosniff\"",
"score_modifier": 0
},
"x-frame-options": {
"data": "DENY",
"expectation": "x-frame-options-sameorigin-or-deny",
"pass": true,
"result": "x-frame-options-implemented-via-csp",
"score_description": "X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive",
"score_modifier": 5
},
"x-xss-protection": {
"data": null,
"expectation": "x-xss-protection-1-mode-block",
"pass": false,
"result": "x-xss-protection-not-implemented",
"score_description": "X-XSS-Protection header not implemented",
"score_modifier": -10
}
}
}
Philips-MacBook-Pro:~ ply$ httpobs-local-scan --http-port 80 --no-verify localhost
{
"scan": {
"grade": "B",
"likelihood_indicator": "MEDIUM",
"response_headers": {
"Connection": "keep-alive",
"Content-Encoding": "gzip",
"Content-Security-Policy": "frame-ancestors 'none'",
"Content-Type": "text/html",
"Date": "Sat, 11 Aug 2018 20:07:15 GMT",
"ETag": "W/\"5b6ebb6e-245\"",
"Last-Modified": "Sat, 11 Aug 2018 10:33:18 GMT",
"Server": "nginx",
"Strict-Transport-Security": "max-age=31536000; includeSubdomains",
"Transfer-Encoding": "chunked",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY"
},
"score": 75,
"tests_failed": 2,
"tests_passed": 10,
"tests_quantity": 12
},
"tests": {
"content-security-policy": {
"data": {
"frame-ancestors": [
"'none'"
]
},
"expectation": "csp-implemented-with-no-unsafe",
"http": true,
"meta": false,
"pass": false,
"policy": {
"antiClickjacking": true,
"defaultNone": false,
"insecureBaseUri": true,
"insecureFormAction": true,
"insecureSchemeActive": false,
"insecureSchemePassive": false,
"strictDynamic": false,
"unsafeEval": false,
"unsafeInline": true,
"unsafeInlineStyle": true,
"unsafeObjects": true
},
"result": "csp-implemented-with-unsafe-inline",
"score_description": "Content Security Policy (CSP) implemented unsafely. This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.",
"score_modifier": -20
},
"contribute": {
"data": null,
"expectation": "contribute-json-only-required-on-mozilla-properties",
"pass": true,
"result": "contribute-json-only-required-on-mozilla-properties",
"score_description": "Contribute.json isn't required on websites that don't belong to Mozilla",
"score_modifier": 0
},
"cookies": {
"data": null,
"expectation": "cookies-secure-with-httponly-sessions",
"pass": true,
"result": "cookies-not-found",
"sameSite": null,
"score_description": "No cookies detected",
"score_modifier": 0
},
"cross-origin-resource-sharing": {
"data": {
"acao": null,
"clientaccesspolicy": null,
"crossdomain": null
},
"expectation": "cross-origin-resource-sharing-not-implemented",
"pass": true,
"result": "cross-origin-resource-sharing-not-implemented",
"score_description": "Content is not visible via cross-origin resource sharing (CORS) files or headers",
"score_modifier": 0
},
"public-key-pinning": {
"data": null,
"expectation": "hpkp-not-implemented",
"includeSubDomains": false,
"max-age": null,
"numPins": null,
"pass": true,
"preloaded": false,
"result": "hpkp-not-implemented",
"score_description": "HTTP Public Key Pinning (HPKP) header not implemented",
"score_modifier": 0
},
"redirection": {
"destination": "https://localhost/",
"expectation": "redirection-to-https",
"pass": true,
"redirects": true,
"result": "redirection-to-https",
"route": [
"http://localhost/",
"https://localhost/"
],
"score_description": "Initial redirection is to HTTPS on same host, final destination is HTTPS",
"score_modifier": 0,
"status_code": 200
},
"referrer-policy": {
"data": null,
"expectation": "referrer-policy-private",
"http": false,
"meta": false,
"pass": true,
"result": "referrer-policy-not-implemented",
"score_description": "Referrer-Policy header not implemented",
"score_modifier": 0
},
"strict-transport-security": {
"data": "max-age=31536000; includeSubdomains",
"expectation": "hsts-implemented-max-age-at-least-six-months",
"includeSubDomains": true,
"max-age": 31536000,
"pass": true,
"preload": false,
"preloaded": false,
"result": "hsts-implemented-max-age-at-least-six-months",
"score_description": "HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000)",
"score_modifier": 0
},
"subresource-integrity": {
"data": {},
"expectation": "sri-implemented-and-external-scripts-loaded-securely",
"pass": true,
"result": "sri-not-implemented-but-all-scripts-loaded-from-secure-origin",
"score_description": "Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin",
"score_modifier": 0
},
"x-content-type-options": {
"data": "nosniff",
"expectation": "x-content-type-options-nosniff",
"pass": true,
"result": "x-content-type-options-nosniff",
"score_description": "X-Content-Type-Options header set to \"nosniff\"",
"score_modifier": 0
},
"x-frame-options": {
"data": "DENY",
"expectation": "x-frame-options-sameorigin-or-deny",
"pass": true,
"result": "x-frame-options-implemented-via-csp",
"score_description": "X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive",
"score_modifier": 5
},
"x-xss-protection": {
"data": null,
"expectation": "x-xss-protection-1-mode-block",
"pass": false,
"result": "x-xss-protection-not-implemented",
"score_description": "X-XSS-Protection header not implemented",
"score_modifier": -10
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment