[Openvas-discuss] gsad strict transport security

Sun, 20 Nov 2016 23:11:58 -0800 

OpenVAS users,

Someone in my organization noted that the scanner itself isn't compliant to our 
standards because there is no strict transport security header.
Obviously I wanted to quickly show them how easy things can be fixed thus I 
patched gsad:

"""
# diff -Naur gsad.c gsad.c_htst
--- gsad.c      2016-08-25 16:09:08.000000000 +0200
+++ gsad.c_htst 2016-11-18 17:11:19.377228392 +0100
@@ -148,6 +148,11 @@
#define DEFAULT_GSAD_X_FRAME_OPTIONS "SAMEORIGIN"

/**
+ * @brief Default value for HTTP header "Strict-Transport-Security"
+ */
+#define DEFAULT_GSAD_STRICT_TRANSPORT_SECURITY "max-age=31536000; preload"
+
+/**
  * @brief Default value for HTTP header "Content-Security-Policy"
  */
#define DEFAULT_GSAD_CONTENT_SECURITY_POLICY \
@@ -179,6 +184,9 @@
   if (strcmp (http_content_security_policy, ""))                              \
     MHD_add_response_header (response, "Content-Security-Policy",             \
                              http_content_security_policy);                   \
+  if (strcmp (http_strict_transport_security, ""))                            \
+    MHD_add_response_header (response, "Strict-Transport-Security",           \
+                             http_strict_transport_security);                 \
}

/**
@@ -298,6 +306,11 @@
gchar *http_x_frame_options;

/**
+ * @brief Current value for HTTP header "Strict-Transport-Security"
+ */
+gchar *http_strict_transport_security;
+
+/**
  * @brief Current value for HTTP header "Content-Security-Policy"
  */
gchar *http_content_security_policy;
@@ -4923,6 +4936,7 @@
   static gchar *guest_pass = NULL;
   static gchar *http_frame_opts = DEFAULT_GSAD_X_FRAME_OPTIONS;
   static gchar *http_csp = DEFAULT_GSAD_CONTENT_SECURITY_POLICY;
+  static gchar *http_htst = DEFAULT_GSAD_STRICT_TRANSPORT_SECURITY;
   static gchar *http_guest_chart_frame_opts
                   = DEFAULT_GSAD_GUEST_CHART_X_FRAME_OPTIONS;
   static gchar *http_guest_chart_csp
@@ -5031,6 +5045,7 @@

   http_x_frame_options = http_frame_opts;
   http_content_security_policy = http_csp;
+  http_strict_transport_security = http_htst;
   http_guest_chart_x_frame_options = http_guest_chart_frame_opts;
   http_guest_chart_content_security_policy = http_guest_chart_csp;
"""

Perhaps a welcome addition in feature versions? Patching myself is an option 
but not very elegant.
I do not want to resort to putting something like Apache or Nginx in front of 
it either. (it's only accessible to some system/network admins through a 2FA 
VPN anyway)


Thijs Stuurman
Security Operations Center
PGP Key-ID: 0x16ADC048
Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048

Internedservices - a KPN Company
Wielingenstraat 8 | 1441 ZR Purmerend | The Netherlands
T: +31(0)299476185 | M: +31(0)624366778
W: https://www.internedservices.nl<https://www.internedservices.nl/> | L: 
http://nl.linkedin.com/in/thijsstuurman


_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Reply via email to