A dotnet tool to do a http request/response security assessment
Branch: master
Clone or download
Latest commit da8b053 Feb 15, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Initial commit Dec 13, 2018
test/CodeTherapy.HttpSecurityCheck.Tests Initial commit Dec 13, 2018
.gitignore Initial commit Dec 13, 2018
Build.ps1 Initial commit Dec 13, 2018
BuildTestPack.ps1 Initial commit Dec 13, 2018
DotnetHttpSecurityCheck.sln Initial commit Dec 13, 2018
Functions.ps1 Initial commit Dec 13, 2018
LICENSE.txt Initial commit Dec 13, 2018
Pack.ps1 Initial commit Dec 13, 2018
README.md Trivial improvement Feb 15, 2019
Shared.Dependencies.Test.props Initial commit Dec 13, 2018
Shared.Dependencies.props Initial commit Dec 13, 2018
Shared.Package.props Initial commit Dec 13, 2018
Shared.props Initial commit Dec 13, 2018
Test.ps1 Initial commit Dec 13, 2018

README.md

dotnet http-security-check

A .NET Core global tool to do a http request/response security assessment. You can also find some information on my Blog.

Installation

Download and install the .NET Core 2.2 SDK or newer. Once installed, run the following command:

dotnet tool install -g DotnetHttpSecurityCheck

If you already have a previous version of DotnetHttpSecurityCheck installed, you can upgrade to the latest version using the following command:

dotnet tool update -g DotnetHttpSecurityCheck

Usage

1.0.0

A dotnet tool to do a http request/response security assessment.

Usage: http-security-check [arguments] [options]

Arguments:
  Url                   A absolute URL for the security assessment (required).

Options:
  --version             Show version information
  -?|-h|--help          Show help information
  -o|--output <value>   The report output file path (optional).
  -f|--format <value>   Format of the report (optional). Default is Text.
  -v|--verbose <value>  Set the console verbosity level (optional). Default is normal. Allowed values are n[normal], q[uiet], d[etailed].

All Security Checks:

  > Header

    1# X-Content-Type-Options: Checks the response header value of the 'X-Content-Type-Options' header.
       Recommended is "X-Content-Type-Options: nosniff".

    2# X-Frame-Options: Checks the response header value of the 'X-Frame-Options' header.
       Recommended is "X-Frame-Options: deny".

    3# X-XSS-Protection: Checks the response header value of the 'X-XSS-Protection' header.
       Recommended is "X-XSS-Protection: 1;".

    4# Referrer-Policy: Checks the response header value of the 'Referrer-Policy' header.
       Recommended values: "strict-origin", "strict-origin-when-cross-origin" or "no-referrer".

    5# Content-Security-Policy: Checks the response header value of the 'Content-Security-Policy' header.
       Whitelisting sources of approved content. Example: "Content-Security-Policy: default-src 'self'"

    6# Strict-Transport-Security: Checks the response header value of the 'Strict-Transport-Security' header.
       Recommended is "Strict-Transport-Security: max-age=31536000; includeSubDomains".

    7# X-Powered-By: Checks the response header value of the 'X-Powered-By' header.
       Technology information should be removed.

    8# Server: Checks the response header value of the 'Server' header.
       Server information should be removed.

  > Request

    1# Server Certificate: Checks for server certificate validation errors.
       Recommended is a valid certificate that has no errors.

    2# HTTPS: Checks that the request/response is HTTPS.
       Recommended is to use HTTPS.

Usage examples

Simplest usage:

dotnet http-security-check https://example.com

Same as above, but writes a textual report:

dotnet http-security-check https://example.com -o=.\Report.txt

The tool has basic support for reporting. By default the report is written to the console.

Contribution

Feel free to create issues and PR's (pull requests) to improve this tool - any help is appreciated! The project is splitted in three projects:

Core

CodeTherapy.HttpSecurityCheck.csproj is the core library with all the security checks and infrastructure.

Tool

DotnetHttpSecurityCheck.csproj is the dotnet tool console command - a lightweight wrapper around the core.

Tests

CodeTherapy.HttpSecurityCheck.Tests.csproj contains unit tests and integration tests.

Code Coverage (powered by Coverlet)

Module Line Branch Method
CodeTherapy.HttpSecurityCheck 85.2% 78.4% 83.3%

Build, Test & Pack

The project separates the three concerns Building, Testing and Packaging. All of these steps could be executed individually.

BuildTestPack.ps1

This command calls internally Build.ps1, Test.ps1 and Pack.ps1 and supports following parameters:

Parameter Description Type
Configuration Can be set to "Release" or "Debug" string
CollectCoverage When set, code coverage is calculated switch
NoIntegrationTests When set, integration tests are skipped switch
Pack When set, nuget packages are created (call to Pack.ps1) switch

Build.ps1

Builds all projects. Supports the Configuration parameter.

Test.ps1

Runs all tests. Supports Configuration, CollectCoverage, NoIntegrationTests and NoBuild parameters.

Parameter Description Type
NoBuild The projects are not re-build switch

Pack.ps1

Creates the nuget packages into the .\artifacts directory. Supports Configuration and NoBuild parameters.

License

This project is licensed under the MIT License - see the LICENSE.md file for details.