performing-security-headers-audit

What this skill does

# Performing Security Headers Audit

## When to Use

- During authorized web application security assessments as a standard configuration review
- When evaluating browser-level protections against XSS, clickjacking, and data leakage
- For compliance assessments requiring security header implementation (PCI DSS, SOC 2)
- When performing initial reconnaissance to identify easy-win security improvements
- During CI/CD pipeline security gate checks for new deployments

## Prerequisites

- **Authorization**: Written scope for the target application (header review is low-risk)
- **curl**: For fetching response headers from target endpoints
- **SecurityHeaders.com**: Online scanner for quick header assessment
- **Mozilla Observatory**: Mozilla's web security testing tool
- **Burp Suite**: For comprehensive header analysis across multiple pages
- **Browser DevTools**: For examining headers and CSP violations in real-time

## Workflow

### Step 1: Collect Security Headers from Target

Retrieve and catalog all security-related response headers.

```bash
# Fetch all response headers
curl -s -I "https://target.example.com/" | grep -iE \
  "(strict-transport|content-security|x-frame|x-content-type|x-xss|referrer-policy|permissions-policy|feature-policy|x-permitted|cross-origin|set-cookie|server|x-powered-by|cache-control)"

# Check headers across multiple pages
PAGES=("/" "/login" "/api/health" "/admin" "/account/settings" "/static/app.js")

for page in "${PAGES[@]}"; do
  echo "=== $page ==="
  curl -s -I "https://target.example.com$page" 2>/dev/null | grep -iE \
    "(strict-transport|content-security|x-frame|x-content-type|x-xss|referrer-policy|permissions-policy|set-cookie|server|x-powered)"
  echo
done

# Check both HTTP and HTTPS responses
echo "=== HTTP Response ==="
curl -s -I "http://target.example.com/" | head -20
echo "=== HTTPS Response ==="
curl -s -I "https://target.example.com/" | head -20
```

### Step 2: Assess Transport Security (HSTS)

Evaluate HTTP Strict Transport Security configuration.

```bash
# Check HSTS header
curl -s -I "https://target.example.com/" | grep -i "strict-transport-security"

# Expected: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

# Verify HSTS attributes:
# max-age: Should be >= 31536000 (1 year) for preload eligibility
# includeSubDomains: Protects all subdomains
# preload: Eligible for browser HSTS preload list

# Check if HTTP redirects to HTTPS
curl -s -I "http://target.example.com/" | head -5
# Should be 301/302 redirect to https://

# Check if HSTS is on the preload list
# Visit: https://hstspreload.org/?domain=target.example.com

# Test for HTTPS-only cookies
curl -s -I "https://target.example.com/login" | grep -i "set-cookie"
# All session cookies should have Secure flag

# Check for mixed content
curl -s "https://target.example.com/" | grep -oP "http://[^\"']+" | head -20
# HTTP resources loaded on HTTPS pages create mixed content vulnerabilities
```

### Step 3: Audit Content Security Policy (CSP)

Analyze CSP headers for effectiveness and potential bypasses.

```bash
# Extract CSP header
CSP=$(curl -s -I "https://target.example.com/" | grep -i "content-security-policy" | cut -d: -f2-)
echo "$CSP"

# Check for dangerous directives:
# 'unsafe-inline' in script-src: Allows inline scripts (XSS risk)
# 'unsafe-eval' in script-src: Allows eval() (XSS risk)
# * in any directive: Allows loading from any origin
# data: in script-src: Allows data: URI scripts
# Missing default-src: No fallback policy

echo "$CSP" | tr ';' '\n' | while read directive; do
  echo "  $directive"
  if echo "$directive" | grep -q "unsafe-inline"; then
    echo "    WARNING: unsafe-inline allows inline script execution"
  fi
  if echo "$directive" | grep -q "unsafe-eval"; then
    echo "    WARNING: unsafe-eval allows eval() calls"
  fi
  if echo "$directive" | grep -q " \* "; then
    echo "    WARNING: wildcard allows loading from any origin"
  fi
done

# Check for CSP report-only (not enforcing)
curl -s -I "https://target.example.com/" | grep -i "content-security-policy-report-only"
# Report-only does NOT block violations, only logs them

# Test CSP with Google's evaluator
# https://csp-evaluator.withgoogle.com/
# Paste the CSP header for automated analysis

# Check for CSP bypass via whitelisted domains
# If CDN domains are whitelisted, check for JSONP endpoints or angular libraries
```

### Step 4: Check Frame Protection and Click Defense Headers

Verify anti-clickjacking and iframe embedding controls.

```bash
# X-Frame-Options
curl -s -I "https://target.example.com/" | grep -i "x-frame-options"
# Expected: DENY or SAMEORIGIN
# ALLOW-FROM is deprecated and not supported in modern browsers

# CSP frame-ancestors (supersedes X-Frame-Options)
curl -s -I "https://target.example.com/" | grep -i "content-security-policy" | grep -o "frame-ancestors[^;]*"
# Expected: frame-ancestors 'none' or frame-ancestors 'self'

# X-Content-Type-Options
curl -s -I "https://target.example.com/" | grep -i "x-content-type-options"
# Expected: nosniff (prevents MIME type sniffing)

# X-XSS-Protection (legacy, but still useful for older browsers)
curl -s -I "https://target.example.com/" | grep -i "x-xss-protection"
# Expected: 1; mode=block (or 0 if CSP is comprehensive)
# Note: Modern recommendation is 0 (disable) when CSP is present

# Referrer-Policy
curl -s -I "https://target.example.com/" | grep -i "referrer-policy"
# Expected: strict-origin-when-cross-origin or no-referrer
# Prevents sensitive URL data from leaking via Referer header
```

### Step 5: Audit Cookie Security Attributes

Examine session and authentication cookies for security flags.

```bash
# Fetch all Set-Cookie headers
curl -s -I -L "https://target.example.com/login" | grep -i "set-cookie"

# Check each cookie for required attributes:
# Secure: Only sent over HTTPS
# HttpOnly: Not accessible via JavaScript (prevents XSS cookie theft)
# SameSite: Controls cross-site cookie sending (Strict, Lax, None)
# Path: Restricts cookie scope
# Domain: Controls which domains receive the cookie
# Max-Age/Expires: Cookie lifetime

# Automated cookie check
curl -s -I "https://target.example.com/login" | grep -i "set-cookie" | while read line; do
  echo "Cookie: $(echo "$line" | grep -oP '[^:]+=[^;]+')"
  missing=""
  echo "$line" | grep -qi "secure" || missing="$missing Secure"
  echo "$line" | grep -qi "httponly" || missing="$missing HttpOnly"
  echo "$line" | grep -qi "samesite" || missing="$missing SameSite"
  if [ -n "$missing" ]; then
    echo "  MISSING:$missing"
  else
    echo "  All flags present"
  fi
done

# Check for __Host- and __Secure- cookie prefixes
# __Host- cookies must have Secure, Path=/, no Domain
# __Secure- cookies must have Secure flag
```

### Step 6: Check Permissions Policy and Information Disclosure

Review browser feature controls and information leakage headers.

```bash
# Permissions-Policy (formerly Feature-Policy)
curl -s -I "https://target.example.com/" | grep -i "permissions-policy"
# Controls browser features: camera, microphone, geolocation, etc.
# Expected: Restrict unused features
# Example: permissions-policy: camera=(), microphone=(), geolocation=()

# Cross-Origin headers
curl -s -I "https://target.example.com/" | grep -iE "(cross-origin-embedder|cross-origin-opener|cross-origin-resource)"
# COEP: Cross-Origin-Embedder-Policy: require-corp
# COOP: Cross-Origin-Opener-Policy: same-origin
# CORP: Cross-Origin-Resource-Policy: same-origin

# Information disclosure headers to flag
curl -s -I "https://target.example.com/" | grep -iE "(server|x-powered-by|x-aspnet|x-generator)"
# Server: Apache/2.4.52 (should be removed or generic)
# X-Powered-By: PHP/8.1.2 (should be removed)
# These headers reveal technology stack to attackers

# Cache-Control for sensitive pages
curl -s -I "https://target.example.com/account/settings" | grep -i "cache-control"
# Sensitive pages should have: Cache-Control: no-store, no-cache, must-revalidate
# Prevents bro