Security headers profile

AmazeeLabs · Oct 16, 2020 · f7bc5f4 · f7bc5f4
1 parent f6fff85
commit f7bc5f4
Show file tree

Hide file tree

Showing 4 changed files with 96 additions and 1 deletion.
diff --git a/Policies/http/http-cache-control.policy.yml b/Policies/http/http-cache-control.policy.yml
@@ -0,0 +1,21 @@
+title: "HTTP Cache-Control"
+class: \Drutiny\algm\Audit\HttpHeaderRegexChecker
+name: algm:HTTP:Cache-Control
+description: |
+  Cache-Control header informs reverse proxies and browsers how to cache your
+  web page for performance reasons. A cacheable page should also contain the
+  max-age directive. E.g. `max-age=600; public`.
+remediation: |
+  Your site is choosing not to cache this page for some reason. Drupal sites
+  in general will cache unless page caching is not enabled or there is an element
+  on the page that prevents caching from taking place. We recommend you revise your
+  cache settings and elements in use on this page.
+success: |
+  {{ header }} header found with a {{ regex }} set.
+failure: |
+  {{ header }} header matching {{ regex }} not found in response.
+parameters:
+  header:
+    default: Cache-Control
+  regex:
+    default: 'max-age='
diff --git a/Profiles/algm_sla_site.profile.yml b/Profiles/algm_sla_site.profile.yml
@@ -66,4 +66,6 @@ policies:
         blacklist: 'admin, root, drupal, amazee, amazeelabs',
         status: 1
       }
-    }
+    }
+# include:
+#   - security_headers
diff --git a/Profiles/security_headers.profile.yml b/Profiles/security_headers.profile.yml
@@ -0,0 +1,19 @@
+title: 'Security headers'
+name: security_headers
+policies:
+  'algm:HTTP:Cache-Control':
+    {
+      severity: medium,
+      parameters: {
+        header: 'Cache-Control',
+        regex: 'max-age='
+      }
+    }
+  'HTTP:Content-Security-Policy': { severity: medium }
+  'HTTP:HSTS': { severity: medium }
+  'HTTP:ReferrerPolicy': { severity: medium }
+  'HTTP:X-Content-Type-Options': { severity: medium }
+  'HTTP:X-Frame-Options': { severity: medium }
+  'HTTP:X-XSS-Protection': { severity: medium }
+format:
+  html: { template: page, content: [{ heading: Purpose, body: "This report is designed to provide some feedback on the overall health of\nthe web application by performing some deep dive analysis. The items\nsurfaced in the report can help improve performance and stability.\n" }, { heading: 'Reporting period', body: "Period | Date time\n------ | ---------\nStart | {{reporting_period_start}}\nEnd | {{reporting_period_end}}\n" }, { heading: Recommendations, body: "<ul>\n{{# remediations }}\n  <li>{{{ . }}}</li>\n{{/ remediations }}\n</ul>\n" }, { heading: Findings, body: "{{{ severity_stats }}}\n### Issue Summary\n{{{ summary_table }}}\n\n{{#failures}}\n  ### Issues\n  {{# output_failure }}\n    {{{.}}}\n  {{/ output_failure }}\n{{/failures}}\n\n{{#warnings}}\n  ### Warnings\n  {{# output_warning }}\n    {{{.}}}\n  {{/ output_warning }}\n{{/warnings}}\n" }, { heading: Appendix, body: "{{#notices}}\n  ### Appendix - Analysis\n\n  The various appendices provides more detailed data regarding the health of\n  the site.\n\n  {{# output_notice }}\n    {{{.}}}\n  {{/ output_notice }}\n{{/notices}}\n\n{{#errors}}\n  ### Appendix - Errors\n\n  During the production of this report, not all report policies were able to\n  be carried out due to errors encounted.\n\n  {{#output_error}}\n    {{{.}}}\n  {{/output_error}}\n{{/errors}}\n\n### Appendix - Summary\nThe below table describes all audit and analysis work completed for the\nproduction of this report and their associated outcomes.\n\n{{{ appendix_table }}}\n\n{{#passes}}\n### Appendix - Successful Assessments\n{{# output_success }}\n  {{{.}}}\n{{/ output_success }}\n{{/passes}}\n" }] }
diff --git a/src/Audit/HttpHeaderRegexChecker.php b/src/Audit/HttpHeaderRegexChecker.php
@@ -0,0 +1,53 @@
+<?php
+
+namespace Drutiny\algm\Audit;
+
+use Drutiny\Sandbox\Sandbox;
+use Drutiny\Annotation\Param;
+
+
+/**
+ *
+ * @Param(
+ *  name = "header",
+ *  description = "The HTTP header to check the value of.",
+ *  type = "string"
+ * )
+ * @Param(
+ *  name = "regex",
+ *  description = "A regular expressions to validate the header value against.",
+ *  type = "string"
+ * )
+ */
+class HttpHeaderRegexChecker extends \Drutiny\Http\Audit\Http {
+
+  /**
+   *
+   */
+  public function audit(Sandbox $sandbox)
+  {
+    $stats = $sandbox->drush([
+      'format' => 'json',
+    ])->status();
+
+    $uri = $sandbox->getTarget()->uri();
+    if (isset($stats['uri'])) {
+      $uri = $stats['uri'];
+    }
+
+    $setUrl = $sandbox->getTarget()->setUri($uri);
+
+    $regex = $sandbox->getParameter('regex');
+    $regex = "/$regex/";
+    $res = $this->getHttpResponse($sandbox);
+    $header = $sandbox->getParameter('header');
+
+    if (!$res->hasHeader($header)) {
+      return FALSE;
+    }
+    $headers = $res->getHeader($header);
+    return preg_match($regex, $headers[0]);
+  }
+}
+
+?>