nuclei-templates/http/misconfiguration/http-missing-security-heade...

id: http-missing-security-headers

info:
  name: HTTP Missing Security Headers
  author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki,forgedhallpass,jub0bs
  severity: info
  description: |
    This template searches for missing HTTP security headers. The impact of these missing headers can vary.
  tags: misconfig,headers,generic
  metadata:
    max-request: 1

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 3
    matchers-condition: or
    matchers:
      - type: dsl
        name: strict-transport-security
        dsl:
          - "!regex('(?i)strict-transport-security', all_headers)"
          - "status_code != 301 && status_code != 302"
        condition: and

      - type: dsl
        name: content-security-policy
        dsl:
          - "!regex('(?i)content-security-policy', all_headers)"
          - "status_code != 301 && status_code != 302"
        condition: and

      - type: dsl
        name: permissions-policy
        dsl:
          - "!regex('(?i)permissions-policy', all_headers)"
          - "status_code != 301 && status_code != 302"
        condition: and

      - type: dsl
        name: x-frame-options
        dsl:
          - "!regex('(?i)x-frame-options', all_headers)"
          - "status_code != 301 && status_code != 302"
        condition: and

      - type: dsl
        name: x-content-type-options
        dsl:
          - "!regex('(?i)x-content-type-options', all_headers)"
          - "status_code != 301 && status_code != 302"
        condition: and

      - type: dsl
        name: x-permitted-cross-domain-policies
        dsl:
          - "!regex('(?i)x-permitted-cross-domain-policies', all_headers)"
          - "status_code != 301 && status_code != 302"
        condition: and

      - type: dsl
        name: referrer-policy
        dsl:
          - "!regex('(?i)referrer-policy', all_headers)"
          - "status_code != 301 && status_code != 302"
        condition: and

      - type: dsl
        name: clear-site-data
        dsl:
          - "!regex('(?i)clear-site-data', all_headers)"
          - "status_code != 301 && status_code != 302"
        condition: and

      - type: dsl
        name: cross-origin-embedder-policy
        dsl:
          - "!regex('(?i)cross-origin-embedder-policy', all_headers)"
          - "status_code != 301 && status_code != 302"
        condition: and

      - type: dsl
        name: cross-origin-opener-policy
        dsl:
          - "!regex('(?i)cross-origin-opener-policy', all_headers)"
          - "status_code != 301 && status_code != 302"
        condition: and

      - type: dsl
        name: cross-origin-resource-policy
        dsl:
          - "!regex('(?i)cross-origin-resource-policy', all_headers)"
          - "status_code != 301 && status_code != 302"
        condition: and
Added security headers templates 2021-07-28 12:40:20 +00:00			`id: http-missing-security-headers`

			`info:`
			`name: HTTP Missing Security Headers`
Fix issue 7265 2023-05-20 12:02:26 +00:00			`author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki,forgedhallpass,jub0bs`
Added security headers templates 2021-07-28 12:40:20 +00:00			`severity: info`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00			`description: \|`
			`This template searches for missing HTTP security headers. The impact of these missing headers can vary.`
Update http-missing-security-headers.yaml 2022-10-24 14:42:57 +00:00			`tags: misconfig,headers,generic`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
Added security headers templates 2021-07-28 12:40:20 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added security headers templates 2021-07-28 12:40:20 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}"`
updated matchers 2021-09-03 16:54:11 +00:00
Using "host-redirects" instead of "redirects" to avoid scanning 3rd party / out of scope hosts. (#5491) 2022-10-07 21:27:25 +00:00			`host-redirects: true`
Added security headers templates 2021-07-28 12:40:20 +00:00			`max-redirects: 3`
			`matchers-condition: or`
			`matchers:`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- type: dsl`
updated matchers 2021-09-03 16:54:11 +00:00			`name: strict-transport-security`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`dsl:`
			`- "!regex('(?i)strict-transport-security', all_headers)"`
			`- "status_code != 301 && status_code != 302"`
			`condition: and`
updated matchers 2021-09-03 16:54:11 +00:00
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- type: dsl`
updated matchers 2021-09-03 16:54:11 +00:00			`name: content-security-policy`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`dsl:`
			`- "!regex('(?i)content-security-policy', all_headers)"`
			`- "status_code != 301 && status_code != 302"`
			`condition: and`
updated matchers 2021-09-03 16:54:11 +00:00
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- type: dsl`
Fix typo The correct name of this header is 'Permissions-Policy' (with an 's') according to the documentation: https://developer.chrome.com/en/docs/privacy-sandbox/permissions-policy/ 2022-09-23 10:56:33 +00:00			`name: permissions-policy`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`dsl:`
Fix typo The correct name of this header is 'Permissions-Policy' (with an 's') according to the documentation: https://developer.chrome.com/en/docs/privacy-sandbox/permissions-policy/ 2022-09-23 10:56:33 +00:00			`- "!regex('(?i)permissions-policy', all_headers)"`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- "status_code != 301 && status_code != 302"`
			`condition: and`
Adding permission-policy header (#3447) * Adding permission-policy header * lint fix Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-29 14:36:58 +00:00
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- type: dsl`
updated matchers 2021-09-03 16:54:11 +00:00			`name: x-frame-options`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`dsl:`
			`- "!regex('(?i)x-frame-options', all_headers)"`
			`- "status_code != 301 && status_code != 302"`
			`condition: and`
updated matchers 2021-09-03 16:54:11 +00:00
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- type: dsl`
updated matchers 2021-09-03 16:54:11 +00:00			`name: x-content-type-options`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`dsl:`
			`- "!regex('(?i)x-content-type-options', all_headers)"`
			`- "status_code != 301 && status_code != 302"`
			`condition: and`
updated matchers 2021-09-03 16:54:11 +00:00
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- type: dsl`
updated matchers 2021-09-03 16:54:11 +00:00			`name: x-permitted-cross-domain-policies`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`dsl:`
			`- "!regex('(?i)x-permitted-cross-domain-policies', all_headers)"`
			`- "status_code != 301 && status_code != 302"`
			`condition: and`
updated matchers 2021-09-03 16:54:11 +00:00
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- type: dsl`
updated matchers 2021-09-03 16:54:11 +00:00			`name: referrer-policy`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`dsl:`
			`- "!regex('(?i)referrer-policy', all_headers)"`
			`- "status_code != 301 && status_code != 302"`
			`condition: and`
updated matchers 2021-09-03 16:54:11 +00:00
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- type: dsl`
updated matchers 2021-09-03 16:54:11 +00:00			`name: clear-site-data`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`dsl:`
			`- "!regex('(?i)clear-site-data', all_headers)"`
			`- "status_code != 301 && status_code != 302"`
			`condition: and`
updated matchers 2021-09-03 16:54:11 +00:00
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- type: dsl`
updated matchers 2021-09-03 16:54:11 +00:00			`name: cross-origin-embedder-policy`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`dsl:`
			`- "!regex('(?i)cross-origin-embedder-policy', all_headers)"`
			`- "status_code != 301 && status_code != 302"`
			`condition: and`
updated matchers 2021-09-03 16:54:11 +00:00
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- type: dsl`
updated matchers 2021-09-03 16:54:11 +00:00			`name: cross-origin-opener-policy`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`dsl:`
			`- "!regex('(?i)cross-origin-opener-policy', all_headers)"`
			`- "status_code != 301 && status_code != 302"`
			`condition: and`
updated matchers 2021-09-03 16:54:11 +00:00
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`- type: dsl`
updated matchers 2021-09-03 16:54:11 +00:00			`name: cross-origin-resource-policy`
Do not report missing headers in case of HTTP redirects (#4425) 2022-05-17 20:49:08 +00:00			`dsl:`
			`- "!regex('(?i)cross-origin-resource-policy', all_headers)"`
			`- "status_code != 301 && status_code != 302"`
			`condition: and`