oshp/oshp-validator
Venom tests suite to validate an HTTP security response headers configuration against OSHP recommendation.
Caution
The project was transferred to the main repository of the OSHP project. Precisely into this location.
OWASP Secure Headers Project validator
โ Venom test suites to validate an HTTP security response headers configuration against OSHP recommendation.
๐ฏ The objective is to provide a way to validate the configuration of non-Internet exposed applications in a flexible/portable way.
๐ก You can use the provided test suites, as a foundation, to tailor it to your context.
๐ Syntax for the test suitesfile is validated using this yamllint configuration file.
Why venom?
๐ค We chose to leverage this tool for the following reasons:
- It is free and open source.
- It does not need any installation: Standalone binary file provided but you can easily compile it if you want a full control over the binary executed.
- It is cross-platform.
- It uses a descriptive approach for a tests suite and, then, do not need any code (or coding skills) to add/update a test.
Tests suite
Note
โ This tests suite is always synchronized with the latest OSHP recommendation.
๐ It is provided via this single file.
๐ป Visual Studio Code is used for the tests suite development. A Visual Studio Code workspace file is provided for the project with recommended extensions.
๐ The following parameters are supported:
| Parameter name | Description | Default value | Mandatory |
|---|---|---|---|
| target_site | URL of the site for which the headers configuration must be tested. | "" | Yes |
| logout_url | Relative path to the logout endpoint of the app. Use to test the configuration of the header "Clear-Site-Data". | "" | No |
| request_timeout_in_seconds | Maximum waiting time in seconds for response from the target app. | 20 | No |
How to use it?
You can use local installed venom or venom in a container image.
Local Venom
๐ป Follow the steps below.
- Get a release of venom for your platform.
- Run one the following commands corresponding to your context:
# Using default values
$ venom run --var="target_site=https://mysite.com" tests_suite.yml
# Using parameter to specify the logout page for the test of the header "Clear-Site-Data"
$ venom run --var="target_site=https://mysite.com" --var="logout_url=/logout" tests_suite.yml ๐ฝ๏ธ Live usage example (the parameter internet_facing does not exists anymore, see here for explanation):
๐ก Hints: Venom returns a code different from zero when a test fail or when you try an update and your version is the latest one. Therefore, to prevent your script to fail then add || true at the end of your command.
Container Image
๐ป Follow the steps below.
docker run --mount type=bind,source=$(pwd)/tests_suite.yml,target=/workdir/tests_suite.yml ovhcom/venom:latest run --var="target_site=https://mysite.com" tests_suite.ymlReporting
๐ This section of the venom documentation describes the different formats supported for the integration in a CI/CD platform.
Tests suite mock service
๐ The python script test_suite_mock.py provides a mock endpoint returning an HTTP response, for which, all HTTP response headers recommended by the OSHP will be set.
๐ฆ It is automatically deployed on https://oshp-validator-mock.onrender.com and it is used, by this CI workflow, to test the venom tests suite.