Feature: 1 new insecure check

rfc-st · rfc-st · commit 07f71e9dc8bb · 2025-04-16T18:59:45.000+02:00
Content-Security-Policy-Report-Only - Ignored Header
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
 <a target="_blank" href="https://devguide.python.org/versions/" title="Minimum Python version required to run this tool"><img src="https://img.shields.io/badge/Python-%3E%3D3.9-blue?labelColor=343b41"></a>
 <a target="_blank" href="LICENSE" title="License of this tool"><img src="https://img.shields.io/badge/License-MIT-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://github.com/rfc-st/humble/releases" title="Latest release of this tool"><img src="https://img.shields.io/github/v/release/rfc-st/humble?display_name=release&label=Latest%20Release&labelColor=343b41"></a>
-<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2025--04--12-blue.svg?labelColor=343b41"></a>
+<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2025--04--16-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://pkg.kali.org/pkg/humble" title="Official tool in Kali Linux"><img src="https://img.shields.io/badge/Kali%20Linux-Tool-blue?labelColor=343b41"></a>
 <br />
 <a target="_blank" href="#" title="Featured on:"><img src="https://img.shields.io/badge/Featured%20on:-343b41"></a>
@@ -63,7 +63,7 @@
 :heavy_check_mark: 58 [checks](#checks-enabled-headers) for enabled security-related HTTP response headers.<br />
 :heavy_check_mark: 14 [checks](#checks-missing-headers) for missing security-related HTTP response headers (the ones I consider essential).<br />
 :heavy_check_mark: 1225 [checks](#checks-fingerprint-headers) for fingerprinting through HTTP response headers.<br />
-:heavy_check_mark: 136 [checks](#checks-deprecated-headersprotocols-and-insecure-values) for deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
+:heavy_check_mark: 137 [checks](#checks-deprecated-headersprotocols-and-insecure-values) for deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
 :heavy_check_mark: Checks compliance with OWASP <a href="https://owasp.org/www-project-secure-headers/#div-bestpractices" target="_blank">'Secure Headers Project'<a> Best Practices.<br />
 :heavy_check_mark: SSL/TLS checks: requires the **amazing** https://testssl.sh/.<br />
 :heavy_check_mark: Browser support references for enabled HTTP security headers: provided by https://caniuse.com/.<br />
diff --git a/additional/insecure.txt b/additional/insecure.txt
@@ -57,7 +57,8 @@ Content-Security-Policy: Unsafe Directive
 Content-Security-Policy: Unsafe Funcionality
 Content-Security-Policy: Unsafe Nonce
 Content-Security-Policy: Unsafe Values
-Content-Security-Policy-Report-Only: Deprecated Directives
+Content-Security-Policy-Report-Only: Ignored Directives
+Content-Security-Policy-Report-Only: Ignored Header
 Content-Type: Deprecated Values
 Content-Type: Incorrect Value - Response body
 Content-Type: Non-HTML MIME type
diff --git a/humble.py b/humble.py
@@ -153,7 +153,7 @@
 XML_STRING = ('Ref: ', 'Value: ', 'Valor: ')
 
 current_time = datetime.now().strftime("%Y/%m/%d - %H:%M:%S")
-local_version = datetime.strptime('2025-04-12', '%Y-%m-%d').date()
+local_version = datetime.strptime('2025-04-16', '%Y-%m-%d').date()
 
 
 class SSLContextAdapter(requests.adapters.HTTPAdapter):
@@ -1710,19 +1710,6 @@ def check_owasp_compliance(tmp_filename):
     print_detail('[comp_experimental]', 2)
 
 
-def print_owasp_missing_old(header_list):
-    print(linesep.join(['']*2))
-    print(f"{STYLE[0]}{get_detail('[comp_analysis]')}")
-    print(f'  URL: {URL}')
-    print(f" {get_detail('[comp_ko_owasp]')}")
-    print(f"\n{STYLE[0]}{get_detail('[comp_rec]')}{STYLE[5]}")
-    if missing_owasp := [header for header in header_list if header not in
-                         headers_l]:
-        for header in missing_owasp:
-            prefix = "(*) " if header.title() == "Permissions-Policy" else ""
-            print(f"{STYLE[1]}  {prefix}{header.title()}{STYLE[5]}")
-
-
 def print_owasp_missing(header_list):
     print(linesep.join(['']*2))
     print(f"{STYLE[0]}{get_detail('[comp_analysis]')}")
@@ -2215,7 +2202,8 @@ def custom_help_formatter(prog):
 t_contdisp = ('filename', 'filename*')
 
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding
-t_cencoding = ('br', 'compress', 'deflate', 'gzip', 'x-gzip', 'zstd')
+t_cencoding = ('br', 'compress', 'dcb', 'dcz', 'deflate', 'gzip', 'x-gzip',
+               'zstd')
 
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 # https://www.w3.org/TR/CSP2/ & https://www.w3.org/TR/CSP3/
@@ -2241,7 +2229,9 @@ def custom_help_formatter(prog):
                 'unsafe-hashes', 'nonce-', '127.0.0.1')
 
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-l_csp_ro_dep = ['violated-directive']
+l_csp_ro_dep = ['block-all-mixed-content', 'disown-opener', 'plugin-types',
+                'prefetch-src', 'referrer', 'report-uri', 'require-sri-for',
+                'sandbox', 'violated-directive']
 
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type
 # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
@@ -2505,16 +2495,19 @@ def custom_help_formatter(prog):
     if re.search(RE_PATTERN[1], csp_h):
         csp_check_ip(csp_h)
 
-csp_ro_header = headers_l.get('content-security-policy-report-only', '')
-if csp_ro_header and any(elem in csp_ro_header for elem in l_csp_ro_dep) and \
-     '17' not in skip_list:
-    print_detail_r('[icsiro_d]', is_red=True)
-    if not args.brief:
-        matches_csp_ro = [x for x in l_csp_ro_dep if x in csp_ro_header]
-        print_detail_l('[icsi_d_s]')
-        print(', '.join(matches_csp_ro))
-        print_detail('[icsiro_d_r]')
-    i_cnt[0] += 1
+if 'content-security-policy-report-only' in headers_l and '17' not in \
+     skip_list:
+    csp_ro_header = headers_l['content-security-policy-report-only']
+    if any(elem in csp_ro_header for elem in l_csp_ro_dep):
+        print_detail_r('[icsiro_d]', is_red=True)
+        if not args.brief:
+            matches_csp_ro = [x for x in l_csp_ro_dep if x in csp_ro_header]
+            print_detail_l('[icsi_d_s]')
+            print(', '.join(f"'{x}'" for x in matches_csp_ro))
+            print_detail('[icsiro_d_r]')
+        i_cnt[0] += 1
+    if 'report-to' not in csp_ro_header:
+        print_details('[icsiroi_d]', '[icsiroi]', 'd', i_cnt)
 
 ctype_header = headers_l.get('content-type', '')
 if ctype_header and '18' not in skip_list:
diff --git a/l10n/details.txt b/l10n/details.txt
@@ -433,13 +433,20 @@
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Trailer
 
 [icsiro_d]
- Content-Security-Policy-Report-Only (Deprecated Directives)
+ Content-Security-Policy-Report-Only (Ignored Directives)
 
 [icsiro_d_r]
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 
 [icsi_d_s]
- Avoid deprecated directives: 
+ Avoid deprecated or ignored directives: 
+
+[icsiroi_d]
+ Content-Security-Policy-Report-Only (Ignored Header)
+
+[icsiroi]
+ Use the 'report-to' directive or this header has no effect.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 
 [itrailer_d_s]
  Avoid disallowed directives: 
diff --git a/l10n/details_es.txt b/l10n/details_es.txt
@@ -434,13 +434,20 @@
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Trailer
 
 [icsiro_d]
- Content-Security-Policy-Report-Only (Directivas obsoletas)
+ Content-Security-Policy-Report-Only (Directivas ignoradas)
 
 [icsiro_d_r]
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 
 [icsi_d_s]
- Evite directivas obsoletas: 
+ Evite directivas ignoradas u obsoletas: 
+
+[icsiroi_d]
+ Content-Security-Policy-Report-Only (Cabecera ignorada)
+
+[icsiroi]
+ Utilice la directiva 'report-to' o esta cabecera no tendrá efecto.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 
 [itrailer_d_s]
  Evite directivas no permitidas: 
