Skip to content

Venom tests suite to validate an HTTP security response headers configuration against OSHP recommendation.

License

Notifications You must be signed in to change notification settings

oshp/oshp-validator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

49 Commits
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 

OWASP Secure Headers Project validator

Validate test suites

Venom test suites to validate an HTTP security response headers configuration against OSHP recommendation.

๐ŸŽฏ The objective is to provide a way to validate the configuration of non-Internet exposed applications in a flexible/portable way.

๐Ÿ’ก You can use the provided test suites, as a foundation, to tailor it to your context.

๐Ÿ“‘ Syntax for the test suitesfile is validated using this yamllint configuration file.

Why venom?

๐Ÿค” We chose to leverage this tool for the following reasons:

  • It is free and open source.
  • It does not need any installation: Standalone binary file provided but you can easily compile it if you want a full control over the binary executed.
  • It is cross-platform.
  • It uses a descriptive approach for a tests suite and, then, do not need any code (or coding skills) to add/update a test.

Tests suite

Note: This tests suite is always synchronized with the latest OSHP recommendation.

๐Ÿ“‹ It is provided via this single file.

๐Ÿ’ป Visual Studio Code is used for the tests suite development. A Visual Studio Code workspace file is provided for the project with recommended extensions.

๐Ÿ“ The following parameters are supported:

Parameter name Description Default value Mandatory
target_site URL of the site for which the headers configuration must be tested. "" Yes
internet_facing Boolean to specify if the tested app is currently reachable from Internet and then can be tested with the securityheaders.com online tools. false No
logout_url Relative path to the logout endpoint of the app. Use to test the configuration of the header "Clear-Site-Data". "" No
request_timeout_in_seconds Maximum waiting time in seconds for response from the target app. 20 No

How to use it?

๐Ÿ’ป Follow the steps below.

  1. Get a release of venom for your platform.
  2. Run one the following commands corresponding to your context:
# Using default values for "internet_facing" and "logout_url" parameters
$ venom run --var="target_site=https://mysite.com" tests_suite.yml
# Using parameter to include the results from "securityheaders.com" online tools
$ venom run --var="target_site=https://mysite.com" --var="internet_facing=true" tests_suite.yml 
# Using parameter to specify the logout page for the test of the header "Clear-Site-Data"
$ venom run --var="target_site=https://mysite.com" --var="logout_url=/logout" tests_suite.yml 

๐Ÿ‘๏ธโ€๐Ÿ—จ๏ธ Live usage example:

asciicast

๐Ÿ’ก Hints:

Venom returns a code different from zero when a test fail or when you try an update and your version is the latest one. Therefore, to prevent your script to fail then add || true at the end of your command.

Reporting

This section of the venom documentation describes the different formats supported for the integration in a CI/CD platform.

Tests suite mock service

The python script test_suite_mock.py provides a mock endpoint returning an HTTP response, for which, all HTTP response headers recommended by the OSHP will be set.

๐Ÿ“ฆ It is automatically deployed on https://oshp-validator-mock.onrender.com and it is used, by this CI workflow, to test the venom tests suite.

Case sensitivity for header names in Venom

๐Ÿ“– See here from the version 1.2.0.

About

Venom tests suite to validate an HTTP security response headers configuration against OSHP recommendation.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Languages