Skip to content

Commit

Permalink
nginx:chore - Adding improvements on nginx rules
Browse files Browse the repository at this point in the history
In this commit I changed to add Safe and Unsafe code
in all rules of the nginx

Signed-off-by: Wilian Gabriel <[email protected]>
  • Loading branch information
wiliansilvazup committed Mar 17, 2022
1 parent 5570397 commit eb47481
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 20 deletions.
48 changes: 28 additions & 20 deletions internal/services/engines/nginx/rules.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,13 @@ import (
func NewIncludeXFrameOptionsHeader() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
ID: "HS-NGINX-1",
Name: "Improper Restriction of Rendered UI Layers or Frames",
Description: "Your Nginx file must include the X-Frame-Options header. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
ID: "HS-NGINX-1",
Name: "Improper Restriction of Rendered UI Layers or Frames",
Description: "Your Nginx file must include the X-Frame-Options header. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
SafeExample: SampleSafeHSNGINX1,
UnsafeExample: SampleVulnerableHSNGINX1,
},
Type: text.NotMatch,
Expressions: []*regexp.Regexp{
Expand All @@ -43,11 +45,13 @@ func NewIncludeXFrameOptionsHeader() *text.Rule {
func NewIncludeXContentTypeOptionsHeader() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
ID: "HS-NGINX-2",
Name: "Missing X-Content-Type-Options header",
Description: "Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css). For more information checkout https://owasp.org/www-project-secure-headers/#x-content-type-options",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
ID: "HS-NGINX-2",
Name: "Missing X-Content-Type-Options header",
Description: "Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css). For more information checkout https://owasp.org/www-project-secure-headers/#x-content-type-options",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
SafeExample: SampleSafeHSNGINX2,
UnsafeExample: SampleVulnerableHSNGINX2,
},
Type: text.NotMatch,
Expressions: []*regexp.Regexp{
Expand All @@ -59,11 +63,13 @@ func NewIncludeXContentTypeOptionsHeader() *text.Rule {
func NewIncludeContentSecurityPolicyHeader() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
ID: "HS-NGINX-3",
Name: "Missing Content-Security-Policy header",
Description: "A Content Security Policy (also named CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections. For more information checkout https://owasp.org/www-project-secure-headers/#content-security-policy",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
ID: "HS-NGINX-3",
Name: "Missing Content-Security-Policy header",
Description: "A Content Security Policy (also named CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections. For more information checkout https://owasp.org/www-project-secure-headers/#content-security-policy",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
SafeExample: SampleSafeHSNGINX3,
UnsafeExample: SampleVulnerableHSNGINX3,
},
Type: text.NotMatch,
Expressions: []*regexp.Regexp{
Expand All @@ -75,11 +81,13 @@ func NewIncludeContentSecurityPolicyHeader() *text.Rule {
func NewIncludeServerTokensOff() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
ID: "HS-NGINX-4",
Name: "Exposure of Sensitive Information",
Description: "Your Nginx file must include 'server_tokens off;' configuration. There are many different kinds of mistakes that introduce information exposures. The severities of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. For more information checkout the CWE-200 (https://cwe.mitre.org/data/definitions/200.html) advisory.",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
ID: "HS-NGINX-4",
Name: "Exposure of Sensitive Information",
Description: "Your Nginx file must include 'server_tokens off;' configuration. There are many different kinds of mistakes that introduce information exposures. The severities of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. For more information checkout the CWE-200 (https://cwe.mitre.org/data/definitions/200.html) advisory.",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
SafeExample: SampleSafeHSNGINX4,
UnsafeExample: SampleVulnerableHSNGINX4,
},
Type: text.NotMatch,
Expressions: []*regexp.Regexp{
Expand Down
File renamed without changes.

0 comments on commit eb47481

Please sign in to comment.