dawnscanner icon indicating copy to clipboard operation
dawnscanner copied to clipboard

Published 20 hours ago verified publisher icon thesp0nge

Security Related Headers results in false positive when secure_headers gem is used

Open monfresh opened this issue 9 years ago • 3 comments

In my app, I use the secure_headers gem, which takes care of all the issues reported by the Owasp Ror Cheatsheet Security Related Headers. It would be great if dawnscanner could check these two things:

  1. That the secure_headers gem is present in the app's Gemfile.lock

  2. That the application_controller.rb contains the following lines:

    include SecureHeaders
ensure_security_headers

If both of those conditions are met, then the Security Related Headers issue should not be reported.

monfresh avatar Jan 28 '16 19:01 monfresh

Actually, ensure_security_headers has been removed in version 3.0 of secure_headers, so perhaps just making sure it's in Gemfile.lock is enough? Another thing that could be checked is that the default configuration hasn't been changed for these headers:

SecureHeaders::Configuration.default do |config|
  config.x_frame_options = "DENY"
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = "1; mode=block"
end

monfresh avatar Jan 28 '16 19:01 monfresh

An issue for me too.

jasnow avatar Feb 28 '16 15:02 jasnow

Can you try if this solve you issue?

thesp0nge avatar Sep 27 '16 21:09 thesp0nge