/
missing-hsts-header.yaml
52 lines (52 loc) · 1.35 KB
/
missing-hsts-header.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
rules:
- id: missing-hsts-header
pattern-either:
- patterns:
- pattern-inside: |
public void Configure(...) {
...
(IApplicationBuilder $APP). ...;
...
}
- focus-metavariable: $APP
- pattern-not-inside: |
public void Configure(...) {
...
(IApplicationBuilder $APP).UseHsts(...);
...
}
- patterns:
- pattern-inside: |
public void ConfigureServices(...) {
...
(IServiceCollection $SERVICES). ...;
...
}
- focus-metavariable: $SERVICES
- pattern-not-inside: |
public void ConfigureServices(...) {
...
(IServiceCollection $SERVICES).AddHsts(...);
...
}
message: The HSTS HTTP response security header is missing, allowing interaction and communication to
be sent over the insecure HTTP protocol.
metadata:
category: security
technology:
- dotnet
owasp:
- A07:2021 - Identification and Authentication Failures
cwe:
- 'CWE-346: Origin Validation Error'
references:
- https://cwe.mitre.org/data/definitions/346.html
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
languages:
- csharp
severity: WARNING