check_ssl_cert icon indicating copy to clipboard operation
check_ssl_cert copied to clipboard

Published 20 hours ago verified publisher icon matteocorti

Server headers check

Open matteocorti opened this issue 3 years ago • 1 comments

Discussed in https://github.com/matteocorti/check_ssl_cert/discussions/410

Originally posted by strachotao September 21, 2022 I'd like to ask for a couple of implementations:

  1. server header control... in the server header you don't want to have the version of the webserver, or even the name of the webserver e.g. "Apache". so something like --require-server-with-no-version or --require-server-string "myServer"
  2. something like --require-no-x-powered-by to verify that this header is not present
  3. something like --require-no-aspnet-version to verify that this header is not present

thank you for your work anyway :)

matteocorti avatar Sep 21 '22 19:09 matteocorti

Why not, but I would then rather add two options that can be specified more than once:

--require-http-header
--require-no-http-header

And deprecate the --require-http-security-header as security is not really relevant.

You could then do something like

./check_ssl_cert --host github.com \
  --require-http-header X-Frame-Options \
  --require-no-http-header X-Powered-By \
  --require-no-http-header X-AspNet-Version

And then maybe with --check-http-headers enable a set of default requirements based on best practices.

matteocorti avatar Sep 21 '22 19:09 matteocorti