-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZAP Full Scan Report #29
Comments
BTW, the HTML report goes into more details…
Huh? We don't even use Apache… 🙈
It claims with a different User-Agent different things are returned… I doubt… so… ? (see HTMl for example URls etc) Also ignored some more rules & false-positives: #30 The other results are valid and basically covered by a stricter CSP (PrivateBin/PrivateBin#108) and stuff like that, |
BTW also checked the production website with https://observatory.mozilla.org/analyze/privatebin.net and we get an A+. |
Yes, these settings are packaged into the nginx container that contains and hosts the static site and are found here: |
View the following link to download the report. |
new security headers, recommended by ZAP scan #29
View the following link to download the report. |
Ok, I think we may have to go for a more complex solution. I'll try to use a map to add only missing headers, so they aren't duplicated for the dynamic content. |
…uhm… ok, as long as that is not a too big negative performance impact. |
FYI, in 453cff7 I ended up using a different approach to solve this: I remove these headers if present in the fastCGI response, then always set them with the rule we previously introduced. The problem is that nginx' add_header only adds headers and there is no mod or other command to replace headers, so the map approach didn't work out in my tests. Aside: maps are more performant then if-conditions, in nginx configs. |
View the following link to download the report. |
There are only two medium issues remaining:
On the other reports: None of our forms make use of Anti-CSRF tokens, because none of them are sent to the server - all are processed on the JS side. |
correct: PrivateBin/PrivateBin#778 jQuery: PrivateBin/PrivateBin#608 |
View the following link to download the report. |
View the following link to download the report. |
svn_dir: We let all requests that don't match a static file (css, js, images) be handled by the index.php, so it just returns the app on that path. |
View the following link to download the report. |
Closing this as ZAP has apparently decided to use a new issue for the reports hehe: #69 |
new security headers, recommended by ZAP scan PrivateBin#29
Site: https://localhost
New Alerts
Site: http://localhost:8080
New Alerts
View the following link to download the report.
RunnerID:716506686
The text was updated successfully, but these errors were encountered: