id: http-missing-security-headers

info:
  name: HTTP Missing Security Headers
  author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki
  severity: info
  description: It searches for missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
  tags: misconfig,generic

requests:
  - method: GET
    path:
      - "{{BaseURL}}"

    redirects: true
    max-redirects: 3
    matchers-condition: or
    matchers:
      - type: regex
        name: strict-transport-security
        regex:
          - "(?i)strict-transport-security"
        negative: true
        part: header

      - type: regex
        name: content-security-policy
        regex:
          - "(?i)content-security-policy"
        negative: true
        part: header

      - type: regex
        name: x-frame-options
        regex:
          - "(?i)x-frame-options"
        negative: true
        part: header

      - type: regex
        name: x-content-type-options
        regex:
          - "(?i)x-content-type-options"
        negative: true
        part: header

      - type: regex
        name: x-permitted-cross-domain-policies
        regex:
          - "(?i)x-permitted-cross-domain-policies"
        negative: true
        part: header

      - type: regex
        name: referrer-policy
        regex:
          - "(?i)referrer-policy"
        negative: true
        part: header

      - type: regex
        name: clear-site-data
        regex:
          - "(?i)clear-site-data"
        negative: true
        part: header

      - type: regex
        name: cross-origin-embedder-policy
        regex:
          - "(?i)cross-origin-embedder-policy"
        negative: true
        part: header

      - type: regex
        name: cross-origin-opener-policy
        regex:
          - "(?i)cross-origin-opener-policy"
        negative: true
        part: header

      - type: regex
        name: cross-origin-resource-policy
        regex:
          - "(?i)cross-origin-resource-policy"
        negative: true
        part: header

      - type: regex
        name: access-control-allow-origin
        regex:
          - "(?i)access-control-allow-origin"
        negative: true
        part: header

      - type: regex
        name: access-control-allow-credentials
        regex:
          - "(?i)access-control-allow-credentials"
        negative: true
        part: header

      - type: regex
        name: access-control-expose-headers
        regex:
          - "(?i)access-control-expose-headers"
        negative: true
        part: header

      - type: regex
        name: access-control-max-age
        regex:
          - "(?i)access-control-max-age"
        negative: true
        part: header

      - type: regex
        name: access-control-allow-methods
        regex:
          - "(?i)access-control-allow-methods"
        negative: true
        part: header

      - type: regex
        name: access-control-allow-headers
        regex:
          - "(?i)access-control-allow-headers"