nuclei-templates/http/misconfiguration/http-missing-security-heade...

108 lines
3.2 KiB
YAML
Raw Normal View History

2021-07-28 12:40:20 +00:00
id: http-missing-security-headers
info:
name: HTTP Missing Security Headers
2024-09-02 12:52:13 +00:00
author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki,forgedhallpass,jub0bs,userdehghani
2021-07-28 12:40:20 +00:00
severity: info
description: |
This template searches for missing HTTP security headers. The impact of these missing headers can vary.
metadata:
max-request: 1
2023-10-14 11:27:55 +00:00
tags: misconfig,headers,generic
2021-07-28 12:40:20 +00:00
http:
2021-07-28 12:40:20 +00:00
- method: GET
path:
- "{{BaseURL}}"
2021-09-03 16:54:11 +00:00
host-redirects: true
2021-07-28 12:40:20 +00:00
max-redirects: 3
2023-10-14 11:27:55 +00:00
2021-07-28 12:40:20 +00:00
matchers-condition: or
matchers:
- type: dsl
2021-09-03 16:54:11 +00:00
name: strict-transport-security
dsl:
- "!regex('(?i)strict-transport-security', header)"
- "status_code != 301 && status_code != 302"
condition: and
2021-09-03 16:54:11 +00:00
- type: dsl
2021-09-03 16:54:11 +00:00
name: content-security-policy
dsl:
- "!regex('(?i)content-security-policy', header)"
- "status_code != 301 && status_code != 302"
condition: and
2021-09-03 16:54:11 +00:00
- type: dsl
name: permissions-policy
dsl:
- "!regex('(?i)permissions-policy', header)"
- "status_code != 301 && status_code != 302"
condition: and
- type: dsl
2021-09-03 16:54:11 +00:00
name: x-frame-options
dsl:
- "!regex('(?i)x-frame-options', header)"
- "status_code != 301 && status_code != 302"
condition: and
2021-09-03 16:54:11 +00:00
- type: dsl
2021-09-03 16:54:11 +00:00
name: x-content-type-options
dsl:
- "!regex('(?i)x-content-type-options', header)"
- "status_code != 301 && status_code != 302"
condition: and
2021-09-03 16:54:11 +00:00
- type: dsl
2021-09-03 16:54:11 +00:00
name: x-permitted-cross-domain-policies
dsl:
- "!regex('(?i)x-permitted-cross-domain-policies', header)"
- "status_code != 301 && status_code != 302"
condition: and
2021-09-03 16:54:11 +00:00
- type: dsl
2021-09-03 16:54:11 +00:00
name: referrer-policy
dsl:
- "!regex('(?i)referrer-policy', header)"
- "status_code != 301 && status_code != 302"
condition: and
2021-09-03 16:54:11 +00:00
- type: dsl
2021-09-03 16:54:11 +00:00
name: clear-site-data
dsl:
- "!regex('(?i)clear-site-data', header)"
- "status_code != 301 && status_code != 302"
condition: and
2021-09-03 16:54:11 +00:00
- type: dsl
2021-09-03 16:54:11 +00:00
name: cross-origin-embedder-policy
dsl:
- "!regex('(?i)cross-origin-embedder-policy', header)"
- "status_code != 301 && status_code != 302"
condition: and
2021-09-03 16:54:11 +00:00
- type: dsl
2021-09-03 16:54:11 +00:00
name: cross-origin-opener-policy
dsl:
- "!regex('(?i)cross-origin-opener-policy', header)"
- "status_code != 301 && status_code != 302"
condition: and
2021-09-03 16:54:11 +00:00
- type: dsl
2021-09-03 16:54:11 +00:00
name: cross-origin-resource-policy
dsl:
- "!regex('(?i)cross-origin-resource-policy', header)"
- "status_code != 301 && status_code != 302"
condition: and
2024-09-02 12:52:13 +00:00
- type: dsl
name: content-type-charset-specification
dsl:
- "!regex('(?i)content-type', header)"
- "!regex('(?i)charset', header)"
- "status_code != 301 && status_code != 302"
condition: and
# digest: 4a0a004730450220085d54de6f23590ea9d6512c0ee0f85547ee0d82efb868bcaa773c0cb2deeac30221009e9cb57db7ce4f940a9f24b5eff0288e9a1ea6f024462225e1c0638bcaaedcb3:922c64590222798bb761d5b6d8e72950