feat: update HSTS checks to use the apex domain if it's available

sesh · Mar 9, 2024 · 3e09e3f · 3e09e3f
1 parent c57c7df
commit 3e09e3f
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 7 deletions.
diff --git a/ready/checks/hsts.py b/ready/checks/hsts.py
@@ -17,7 +17,7 @@ def check_hsts_header_should_be_included_in_response(responses, **kwargs):
 def check_hsts_header_should_have_a_long_max_age(responses, **kwargs):
     try:
         hsts = responses["response"].headers.get("strict-transport-security", "")
-        max_age_re = re.compile("max-age=(\d+)", re.IGNORECASE)
+        max_age_re = re.compile(r"max-age=(\d+)", re.IGNORECASE)
         m = max_age_re.match(hsts)
         max_age = int(m.groups()[0])
         if max_age < 31536000:
@@ -40,9 +40,15 @@ def check_hsts_header_should_have_a_long_max_age(responses, **kwargs):
 # Check: HSTS Header should have includeSubdomains
 def check_hsts_header_should_have_includesubdomains(responses, **kwargs):
     hsts = responses["response"].headers.get("strict-transport-security", "")
+
+    # this check uses the response from the Apex/Second level domain if it fails for the
+    # provided domain. See: https://github.com/sesh/ready/issues/22
+    if "includesubdomains" not in hsts.lower() and responses.get("response_fld"):
+        hsts = responses["response_fld"].headers.get("strict-transport-security", "") + " (from apex domain)"
+
     return result(
         "includesubdomains" in hsts.lower(),
-        f"HSTS Header should have includeSubdomains ({hsts})",
+        f"HSTS Header should have includeSubDomains ({hsts})",
         "ssl_hsts_subdomains",
         **kwargs,
     )
@@ -51,9 +57,15 @@ def check_hsts_header_should_have_includesubdomains(responses, **kwargs):
 # Check: HSTS Header should have preload
 def check_hsts_header_should_have_preload(responses, **kwargs):
     hsts = responses["response"].headers.get("strict-transport-security", "")
+
+    # this check use the response from the Apex/Second Level domain if it exists
+    # instead of any subdomains. See: https://github.com/sesh/ready/issues/22
+    if responses.get("response_fld"):
+        hsts = responses["response_fld"].headers.get("strict-transport-security", "") + " (from apex domain)"
+
     return result(
-        "preload" in hsts.lower(),
-        f"HSTS Header should have preload ({hsts})",
+        "preload" in hsts.lower() and "includesubdomains" in hsts.lower(),
+        f"HSTS Header should have preload and includeSubDomains ({hsts})",
         "ssl_hsts_preload",
         **kwargs,
     )
diff --git a/ready/ready.py b/ready/ready.py
@@ -7,7 +7,7 @@
 from importlib import resources
 from . import checks as checks_module
 
-VERSION = "1.4.0"
+VERSION = "1.5.0"
 
 from ready.checks.bad_response import (
     check_bad_response_cloudflare,
@@ -152,7 +152,7 @@ def ready(
     if USE_FLD:
         fld = get_fld(domain, fix_protocol=True)
     else:
-        fld = "Disabled. Install tld if fld is different to domain."
+        fld = "Disabled. Install tld to improve support for subdomains."
 
     if not hide_output:
         print(f"URL (no scheme): {domain}, Domain (no path): {domain_with_no_path}, Second Level Domain: {fld}")
@@ -221,6 +221,10 @@ def ready(
     )
 
     if USE_FLD and domain != fld:
+        responses["response_fld"] = response_or_none(
+            f"https://{fld}", "response_fld", request_filter, verify=False, headers=DEFAULT_HEADERS, timeout=3
+        )
+
         responses["dns_ns_response_fld"] = response_or_none(f"https://dns.google/resolve?name={fld}&type=NS")
         responses["dns_mx_response_fld"] = response_or_none(f"https://dns.google/resolve?name={fld}&type=MX")
         responses["dns_spf_response_fld"] = response_or_none(f"https://dns.google/resolve?name={fld}&type=SPF")

diff --git a/setup.cfg b/setup.cfg
@@ -1,6 +1,6 @@
 [metadata]
 name = ready-check
-version = 1.4.0
+version = 1.5.0
 author = Brenton Cleeland
 author_email = brenton@brntn.me
 description = A developer-friendly web scanning tool