# Step 1: Evidence Details



|CCow Evidence name           |Evidence name|System  |Source of data|Frameworks|Purpose|
|-----------------------------|-------------|--------|--------------|-----------|-------|
|StrictTransportSecurityLog   |             |HarFile | HarFile      |           |Analyse Header|
|StdStrictTransportSecurityLog|             |HarFile | HarFile      |           |Analyse Header|
|PublicKeyPinsLog             |             |HarFile | HarFile      |           |Analyse Header|
|StdPublicKeyPinsLog          |             |HarFile | HarFile      |           |A nalyse Header|
|ExpectCTLog                  |             |HarFile | HarFile      |           |Analyse Header|
|StdExpectCTLog               |             |HarFile | HarFile      |           |Analyse Header|
|XFrameOptionsLog             |             |HarFile | HarFile      |           |Analyse Header|
|StdXFrameOptionsLog          |             |HarFile | HarFile      |           |Analyse Header|
|AccessControlAllowOriginLog  |             |HarFile | HarFile      |           |Analyse Header|
|StdAccessControlAllowOriginLog|            |HarFile | HarFile      |           |Analyse Header|
|XContentTypeOptionsLog       |             |HarFile | HarFile      |           |Analyse Header|
|StdXContentTypeOptionsLog    |             |HarFile | HarFile      |           |Analyse Header|
|RefererPolicyLog             |             |HarFile | HarFile      |           |Analyse Header|
|StdRefererPolicyLog          |             |HarFile | HarFile      |           |Analyse Header|
|ETagLog                      |             |HarFile | HarFile      |           |Analyse Header|
|StdETagLog                   |             |HarFile | HarFile      |           |Analyse Header|

```
Purpose
Analyze HTTP headers from HarFile logs to ensure compliance and generate a security report.
```


# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

---

In [None]:
##@title # System Specific Schema / Extended Schema
variable_name = False
[
	#ACCESS-CONTROL-ALLOW-ORIGIN
	{
		"Host": "github.com",
		"URL": "/ContiNube/PolicyCow/tree/dev/rules/Rule6009_GitCodeReview",
		"Header": {
			"Name": "ACCESS-CONTROL-ALLOW-ORIGIN",
			"Value": ""
		},
		"Status": "passed",
		"StatusDescription": "",
		"Remediation": "",
		"Info": "",
		"Warning": "",
		"Error": "",
		"Attributes": [],
		"Rules": null,
		"Category": ""
	},
]


# Step 3: Define the Standard Schema

In [None]:

    # Action editable data
[
	{
		"System": "github.com",
		"Source": "compliancecow",
		"ResourceId": "/assets/light-d46e2b60992dc114d02a7edf55f254c4.css",
		"ResourceType": "Header",
		"ResourceName": "github.githubassets.com",
		"ResourceUrl": "/assets/light-d46e2b60992dc114d02a7edf55f254c4.css",
		"Header": {
			"Name": "access-control-allow-origin",
			"Value": "*"
		},
		"ComplianceStatus": "NON_COMPLIANT",
		"ComplianceStatusReason": "The setting is non-compliant because the Access-Control-Allow-Origin header value is invalid, potentially allowing unauthorized origins to access resources, compromising security.",
		"ValidationStatusCode": "ACAO_P_IV",
		"ValidationStatusNotes": "Access-Control-Allow-Origin header present with invalid value",
		"EvaluatedTime": "",
		"Action": "",
		"Tags": ""
	},
]

# Step 3.a: Sample Data

| System                 | Source                 | ResourceId                                  | ResourceType | ResourceName          | ResourceUrl                                     | Header                   | ComplianceStatus | ComplianceStatusReason                                       | ValidationStatusCode | ValidationStatusNotes                                                                                                      | EvaluatedTime | Action | Tags |
|------------------------|------------------------|---------------------------------------------|--------------|-----------------------|-------------------------------------------------|--------------------------|------------------|--------------------------------------------------------------|----------------------|----------------------------------------------------------------------------------------------------------------------------|----------------|--------|------|
| github.com | compliancecow | /assets/light-d46e2b60992dc114d02a7edf55f254c4.css | Header       | github.githubassets.com | /assets/light-d46e2b60992dc114d02a7edf55f254c4.css | Name: access-control-allow-origin<br>Value: * | NON_COMPLIANT   | The setting is non-compliant because the Access-Control-Allow-Origin header value is invalid, potentially allowing unauthorized origins to access resources, compromising security.|ACAO_P_IV| Access-Control-Allow-Origin header present with invalid value|                |        |      |

# Step 4: Describe the Compliance Taxonomy:


|ValidationStatusCode|ComplianceStatusReason|ComplianceStatus|ValidationStatusNotes|
|---|----|----|----|
| STTS_P_VV | The setting is compliant as it ensures HTTPS enforcement, protects against downgrade attacks, aligns with security best practices. | COMPLIANT | Strict-Transport-Security header present with valid value |
| STTS_NP | This setting is non-compliant as a missing Strict-Transport-Security header results in vulnerability to downgrade attacks, potential exposure to MITM attacks. | NON_COMPLIANT | Strict-Transport-Security header not present |
| STTS_P_W_PR | The setting is non-compliant because preloading the HSTS policy irreversibly includes the domain in browser preload lists, which can be problematic for future changes or errors in policy. | NON_COMPLIANT | Strict-Transport-Security header present with preload |
| PKP_P | This setting is non-compliant as public key pins are deprecated and no longer recommended due to significant operational risks and potential security issues. | NON_COMPLIANT | Public-Key-Pins header present |
| PKP_NP | This setting is compliant as public key pins are deprecated and no longer recommended due to significant operational risks and potential security issues. | COMPLIANT | Public-Key-Pins header not present |
| ECT_NP | The setting is non-compliant because Expect-CT header is not present, which could lead to potential exposure to unauthorized certificates and reduced trust in issued certificates. | NON_COMPLIANT | Expect-CT header not present |
| ECT_P_EMT | The setting is non-compliant because an empty Expect-CT header does not provide any policy enforcement or protection, leaving the site vulnerable to certificate-related attacks. | NON_COMPLIANT | Expect-CT header present but is empty |
| ECT_P_RU_IV | This setting is non-compliant because an empty reportURI value in Expect-CT header leads to potential exposure to unauthorized certificates, reduced trust in issued certificates. | NON_COMPLIANT | Expect-CT header present with invalid report-uri or empty |
| ECT_P_RU_IV | This setting is non-compliant because the Expect-CT header includes an invalid report-uri value, which leads to potential exposure to unauthorized certificates, reduced trust in issued certificates. | NON_COMPLIANT | Expect-CT header present with invalid report-uri or empty |
| ECT_P_RU_VL | The setting is compliant because the Expect-CT header includes a valid report-uri value. This enables the server to report compliance and any violations of the Certificate Transparency (CT) policy to the specified URI, enhancing security and trust in issued certificates. | COMPLIANT | Expect-CT header present with valid report-uri value |
| XFP_P_VV | This setting is compliant as it helps mitigate clickjacking attacks by restricting framing to the same site. | COMPLIANT | X-Frame-Options header present with valid value |
| XFO_NP | This setting is non-compliant as X-Frame-Options header is missing, which leads to vulnerability to clickjacking attacks, potential iframe embedding on malicious sites. | NON_COMPLIANT | X-Frame-Options header not present |
| XFO_P_DY | The setting is compliant because DENY enhances security by completely preventing your web page from being framed by any other page, regardless of the origin. | COMPLIANT | X-Frame-Options header present with value DENY |
| XFO_P_SO | The setting is compliant because SAMEORIGIN enhances security by allowing your web page to be framed only by pages that originate from the same domain. | COMPLIANT | X-Frame-Options header present with value SAMEORIGIN |
| XFO_P_AF | The setting is non-compliant because ALLOW-FROM <uri> allows embedding only from specific URIs, which can still pose security risks if the URI is not properly validated. | NON_COMPLIANT | X-Frame-Options header present with value ALLOW-FROM |
| ACAO_P_VV | The setting is compliant because the Access-Control-Allow-Origin header is properly configured to specify allowed origins. This helps ensure that cross-origin requests are handled securely without exposing resources to unauthorized origins. | COMPLIANT | Access-Control-Allow-Origin header present with valid value |
| ACAO_NP | The setting is non-compliant because Access-Control-Allow-Origin header is missing and CORS requests are not properly configured, potentially exposing resources to unauthorized origins. | NON_COMPLIANT | Access-Control-Allow-Origin header not present |
| ACAO_P_IV | The setting is non-compliant because the Access-Control-Allow-Origin header value is invalid, potentially allowing unauthorized origins to access resources, compromising security. | NON_COMPLIANT | Access-Control-Allow-Origin header present with invalid value |
| XCTO_NP | The setting is non-compliant because X-Content-Type-Options header is missing, which allows browsers to perform MIME type sniffing, potentially increasing the risk of XSS attacks. | NON_COMPLIANT | X-Content-Type-Options header not present |
| XCTO_P_WO_NO_SNF | The setting is non-compliant because X-Content-Type-Options header allows browsers to perform MIME type sniffing, potentially increasing the risk of XSS attacks. | NON_COMPLIANT | X-Content-Type-Options header present without nosniff |
| XCTO_P_W_NO_SNF | The setting is compliant as X-Content-Type-Options header prevents MIME type sniffing, enhancing security against certain types of attacks such as XSS. | COMPLIANT | X-Content-Type-Options header present with nosniff |
| RP_NP | The setting is non-compliant because the absence of the Referrer-Policy header allows browsers to use their default behavior for handling referrer information. This default behavior may not provide sufficient control over referrer headers, potentially exposing sensitive information. | NON_COMPLIANT | Referrer-Policy header not present |
| RP_P_W_US | The setting is non-compliant because unsafe-url allows sending referrer information to URLs that may not be trusted. This can expose sensitive data to potentially malicious entities, undermining security and privacy measures. | NON_COMPLIANT | Referrer-Policy header present with value unsafe-url |
| RP_P_W_VV | The setting is compliant because a valid Referrer-Policy header is present, indicating a specified policy for handling referrer information, enhancing security and privacy. | COMPLIANT | Referrer-Policy header present with valid value |
| ETG_P_VL | The setting is compliant as the ETag header is present with a strong entity tag value, supporting efficient resource validation and caching. | COMPLIANT | ETag header present and is valid |
| ETG_NP | The setting is non-compliant because the ETag header is not present, potentially hindering caching mechanisms and resource validation efficiency. | NON_COMPLIANT | ETag header not present |
| ETG_P_WK | The setting is non-compliant because the ETag header is present with a weak entity tag value, which may not provide adequate security or reliability for caching. | NON_COMPLIANT | Etag header present and is weak |

In [None]:
Strict-Transport-Security Header

Case 1: Header Present with Valid Value

	ComplianceStatus = "COMPLIANT"
	ComplianceStatusReason = "The setting is compliant as it ensures HTTPS enforcement, protects against downgrade attacks, aligns with security best practices."
	ValidationStatusCode = "STTS_P_VV"
	ValidationStatusNotes = "Strict-Transport-Security header present with valid value"

Case 2: Header Not Present

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "This setting is non-compliant as a missing Strict-Transport-Security header results in vulnerability to downgrade attacks, potential exposure to MITM attacks."
	ValidationStatusCode = "STTS_NP"
	ValidationStatusNotes = "Strict-Transport-Security header not present"

Case 3: Header Present with Preload

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because preloading the HSTS policy irreversibly includes the domain in browser preload lists, which can be problematic for future changes or errors in policy."
	ValidationStatusCode = "STTS_P_W_PR"
	ValidationStatusNotes = "Strict-Transport-Security header present with preload"

Public-Key-Pins Header

Case 1: Header Present

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "This setting is non-compliant as public key pins are deprecated and no longer recommended due to significant operational risks and potential security issues."
	ValidationStatusCode = "PKP_P"
	ValidationStatusNotes = "Public-Key-Pins header present"

Case 2: Header Not Present

	ComplianceStatus = "COMPLIANT"
	ComplianceStatusReason = "This setting is compliant as public key pins are deprecated and no longer recommended due to significant operational risks and potential security issues."
	ValidationStatusCode = "PKP_NP"
	ValidationStatusNotes = "Public-Key-Pins header not present"

Expect-CT Header

Case 1: Header Not Present

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because Expect-CT header is not present, which could lead to potential exposure to unauthorized certificates and reduced trust in issued certificates."
	ValidationStatusCode = "ECT_NP"
	ValidationStatusNotes = "Expect-CT header not present"

Case 2: Header Present but Empty

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because an empty Expect-CT header does not provide any policy enforcement or protection, leaving the site vulnerable to certificate-related attacks."
	ValidationStatusCode = "ECT_P_EMT"
	ValidationStatusNotes = "Expect-CT header present but is empty"

Case 3: Header Present with Invalid Report-URI or Empty

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "This setting is non-compliant because an empty reportURI value in Expect-CT header leads to potential exposure to unauthorized certificates, reduced trust in issued certificates."
	ValidationStatusCode = "ECT_P_RU_IV"
	ValidationStatusNotes = "Expect-CT header present with invalid report-uri or empty"

Case 4: Header Present with Invalid Report-URI

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "This setting is non-compliant because the Expect-CT header includes an invalid report-uri value, which leads to potential exposure to unauthorized certificates, reduced trust in issued certificates."
	ValidationStatusCode = "ECT_P_RU_IV"
	ValidationStatusNotes = "Expect-CT header present with invalid report-uri or empty"

Case 5: Header Present with Valid Report-URI Value

	ComplianceStatus = "COMPLIANT"
	ComplianceStatusReason = "The setting is compliant because the Expect-CT header includes a valid report-uri value. This enables the server to report compliance and any violations of the Certificate Transparency (CT) policy to the specified URI, enhancing security and trust in issued certificates."
	ValidationStatusCode = "ECT_P_RU_VL"
	ValidationStatusNotes = "Expect-CT header present with valid report-uri value"

X-Frame-Options Header

Case 1: Header Present with Valid Value

	ComplianceStatus = "COMPLIANT"
	ComplianceStatusReason = "This setting is compliant as it helps mitigate clickjacking attacks by restricting framing to the same site."
	ValidationStatusCode = "XFP_P_VV"
	ValidationStatusNotes = "X-Frame-Options header present with valid value"

Case 2: Header Not Present

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "This setting is non-compliant as X-Frame-Options header is missing, which leads to vulnerability to clickjacking attacks, potential iframe embedding on malicious sites."
	ValidationStatusCode = "XFO_NP"
	ValidationStatusNotes = "X-Frame-Options header not present"

Case 3: Header Present with Value DENY

	ComplianceStatus = "COMPLIANT"
	ComplianceStatusReason = "The setting is compliant because DENY enhances security by completely preventing your web page from being framed by any other page, regardless of the origin."
	ValidationStatusCode = "XFO_P_DY"
	ValidationStatusNotes = "X-Frame-Options header present with value DENY"

Case 4: Header Present with Value SAMEORIGIN

	ComplianceStatus = "COMPLIANT"
	ComplianceStatusReason = "The setting is compliant because SAMEORIGIN enhances security by allowing your web page to be framed only by pages that originate from the same domain."
	ValidationStatusCode = "XFO_P_SO"
	ValidationStatusNotes = "X-Frame-Options header present with value SAMEORIGIN"

Case 5: Header Present with Value ALLOW-FROM

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because ALLOW-FROM  allows embedding only from specific URIs, which can still pose security risks if the URI is not properly validated."
	ValidationStatusCode = "XFO_P_AF"
	ValidationStatusNotes = "X-Frame-Options header present with value ALLOW-FROM"

Access-Control-Allow-Origin Header

Case 1: Header Present with Valid Value

	ComplianceStatus = "COMPLIANT"
	ComplianceStatusReason = "The setting is compliant because the Access-Control-Allow-Origin header is properly configured to specify allowed origins. This helps ensure that cross-origin requests are handled securely without exposing resources to unauthorized origins."
	ValidationStatusCode = "ACAO_P_VV"
	ValidationStatusNotes = "Access-Control-Allow-Origin header present with valid value"

Case 2: Header Not Present

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because Access-Control-Allow-Origin header is missing and CORS requests are not properly configured, potentially exposing resources to unauthorized origins."
	ValidationStatusCode = "ACAO_NP"
	ValidationStatusNotes = "Access-Control-Allow-Origin header not present"

Case 3: Header Present with Invalid Value

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because the Access-Control-Allow-Origin header value is invalid, potentially allowing unauthorized origins to access resources, compromising security."
	ValidationStatusCode = "ACAO_P_IV"
	ValidationStatusNotes = "Access-Control-Allow-Origin header present with invalid value"

X-Content-Type-Options Header

Case 1: Header Not Present

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because X-Content-Type-Options header is missing, which allows browsers to perform MIME type sniffing, potentially increasing the risk of XSS attacks."
	ValidationStatusCode = "XCTO_NP"
	ValidationStatusNotes = "X-Content-Type-Options header not present"

Case 2: Header Present without nosniff

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because X-Content-Type-Options header allows browsers to perform MIME type sniffing, potentially increasing the risk of XSS attacks."
	ValidationStatusCode = "XCTO_P_WO_NO_SNF"
	ValidationStatusNotes = "X-Content-Type-Options header present without nosniff"

Case 3: Header Present with nosniff

	ComplianceStatus = "COMPLIANT"
	ComplianceStatusReason = "The setting is compliant as X-Content-Type-Options header prevents MIME type sniffing, enhancing security against certain types of attacks such as XSS."
	ValidationStatusCode = "XCTO_P_W_NO_SNF"
	ValidationStatusNotes = "X-Content-Type-Options header present with nosniff"

Referrer-Policy Header

Case 1: Header Not Present

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because the absence of the Referrer-Policy header allows browsers to use their default behavior for handling referrer information. This default behavior may not provide sufficient control over referrer headers, potentially exposing sensitive information."
	ValidationStatusCode = "RP_NP"
	ValidationStatusNotes = "Referrer-Policy header not present"

Case 2: Header Present with unsafe-url

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because unsafe-url allows sending referrer information to URLs that may not be trusted. This can expose sensitive data to potentially malicious entities, undermining security and privacy measures."
	ValidationStatusCode = "RP_P_W_US"
	ValidationStatusNotes = "Referrer-Policy header present with value unsafe-url"

Case 3: Header Present with Valid Value

	ComplianceStatus = "COMPLIANT"
	ComplianceStatusReason = "The setting is compliant because a valid Referrer-Policy header is present, indicating a specified policy for handling referrer information, enhancing security and privacy."
	ValidationStatusCode = "RP_P_W_VV"
	ValidationStatusNotes = "Referrer-Policy header present with valid value"

ETag Header

Case 1: Header Present and Valid

	ComplianceStatus = "COMPLIANT"
	ComplianceStatusReason = "The setting is compliant as the ETag header is present with a strong entity tag value, supporting efficient resource validation and caching."
	ValidationStatusCode = "ETG_P_VL"
	ValidationStatusNotes = "ETag header present and is valid"

Case 2: Header Not Present

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because the ETag header is not present, potentially hindering caching mechanisms and resource validation efficiency."
	ValidationStatusCode = "ETG_NP"
	ValidationStatusNotes = "ETag header not present"

Case 3: Header Present and Weak

	ComplianceStatus = "NON_COMPLIANT"
	ComplianceStatusReason = "The setting is non-compliant because the ETag header is present with a weak entity tag value, which may not provide adequate security or reliability for caching."
	ValidationStatusCode = "ETG_P_WK"
	ValidationStatusNotes = "Etag header present and is weak"

# Step 5: Calculation for Compliance Percentage and Status


In [None]:
# Calculation of Compliance Percentage
(1 - [Count of 'NON_COMPLIANT' records/Total records])

# Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0%<=status<100%

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

In [None]:
1. CreateJiraTicket
2. NotifyBySlackChannel




## Step 7. Control Setup Details
| Control Details            |                                         |
|----------------------------|-----------------------------------------|
| **RuleName**               | PrivacyBisonCheckHeaders                |
| **PreRequisiteRuleNames**  | N/A                                     |
| **ExtendedSchemaRuleNames**| N/A                                     |
| **ApplicationClassName**   | privacybisonconnector                   |


