From e7626dba8c84fd07cbd0e6ec9a88080d4d98e182 Mon Sep 17 00:00:00 2001 From: santoru Date: Sun, 5 May 2024 11:06:23 +0200 Subject: [PATCH] Check headers regardless of case --- shcheck/shcheck.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/shcheck/shcheck.py b/shcheck/shcheck.py index be37c34..7068f21 100755 --- a/shcheck/shcheck.py +++ b/shcheck/shcheck.py @@ -317,19 +317,19 @@ def main(): # Taking care of special headers that could have bad values # X-XSS-Protection Should be enabled - if safeh == 'X-XSS-Protection' and headers.get(lsafeh) == '0': + if safeh == 'X-XSS-Protection'.lower() and headers.get(lsafeh) == '0': log("[*] Header {} is present! (Value: {})".format( colorize(safeh, 'ok'), colorize(headers.get(lsafeh), 'warning'))) # unsafe-url policy is more insecure compared to the default/unset value - elif safeh == 'Referrer-Policy' and headers.get(lsafeh) == 'unsafe-url': + elif safeh == 'Referrer-Policy'.lower() and headers.get(lsafeh) == 'unsafe-url': log("[!] Insecure header {} is set! (Value: {})".format( colorize(safeh, 'warning'), colorize(headers.get(lsafeh), 'error'))) # check for max-age=0 in HSTS - elif safeh == 'Strict-Transport-Security' and "max-age=0" in headers.get(lsafeh): + elif safeh == 'Strict-Transport-Security'.lower() and "max-age=0" in headers.get(lsafeh): log("[!] Insecure header {} is set! (Value: {})".format( colorize(safeh, 'warning'), colorize(headers.get(lsafeh), 'error'))) @@ -343,7 +343,7 @@ def main(): unsafe += 1 json_results["missing"].append(safeh) # HSTS works obviously only on HTTPS - if safeh == 'Strict-Transport-Security' and not is_https(rUrl): + if safeh == 'Strict-Transport-Security'.lower() and not is_https(rUrl): unsafe -= 1 json_results["missing"].remove(safeh) continue