WebScanPro
Summary
WebScanPro is a web application designed for the analysis of HTTP security headers. Developed with a user-friendly interface and robust scanning capabilities, WebScanPro helps developers to strengthen the security of their web applications. In addition WebScanPro also scans the TLS/SSL Version and provides feedback if it the certificate version should be updated or is up to date.
HTTP Headers
Content-Security-Policy
The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site scripting).
Strict-Transport-Security (HSTS)
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. Most websites automatically redirect to https but this header should still be used e.g. to prevent SSL Stripping attacks (When users visit a website, they first connect with the HTTP version before getting rerouted to the HTTPS version. In SSL stripping attacks, hackers jump in this window to act as a man in the middle and prevent users from ever connecting with the HTTPS version of the site.)
X-XSS-Protection
Browser stops loading the page if it detects reflected XSS Use a Content Security Policy (CSP) that disables the use of inline JavaScript.
Do not set this header or explicitly turn it off.
X-Content-Type-Options
Blocks mime type sniffing and should be set as followed:
X-Content-Type-Options: nosniff
X-Frame-Options
The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame>
, <iframe>
, <embed>
, or <object>
. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. Should be set to DENY
or SAMEORIGIN
Referrer-Policy
Referrer policy has been supported by browsers since 2014. Today, the default behavior in modern browsers is to no longer send all referrer information (origin, path, and query string) to the same site but to only send the origin to other sites. However, since not all users may be using the latest browsers and websites can (but should not!) have sensitive data in the query it is suggested forcing this behavior by sending this header on all responses.
X-Webkit-CSP & X-Content-Security-Policy
Deprecated. Should only be used to implement CSP for very old browsers (<2013)
Permissions-Policy
Permissions-Policy allows you to control which origins can use which browser features, both in the top-level page and in embedded frames. For every feature controlled by Feature Policy, the feature is only enabled in the current document or frame if its origin matches the allowed list of origins. This means that you can configure your site to never allow the camera or microphone to be activated.
This prevents that an injection, for example an XSS, enables the camera, the microphone, or other browser feature.
Permissions-Policy: geolocation=(), camera=(), microphone=()
This example is disabling geolocation, camera and microphne on all domains.
X-Powered-By-Policy
The X-Powered-By header describes the technologies used by the webserver. This information exposes the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.
SSL/TLS Versions
TLS Version 1.3
TLS 1.3 is the latest and most secure version of the TLS protocol. It offers improved security, faster handshake, and enhanced privacy features.
It is strongly recommended to use TLS 1.3 for the highest level of security.
TLS Version 1.2
TLS 1.2 is a widely adopted and secure version of the TLS protocol. It provides strong encryption and security features. While not the latest version, it is still considered secure and is widely supported.
But an update to Version 1.3 is recommended.
TLS Version 1.1
TLS 1.1 is outdated and has known vulnerabilities. It is generally not recommended to use TLS 1.1 due to security concerns.
Upgrading to a newer version, preferably TLS 1.3, is highly recommended.
TLS Version 1.0
TLS 1.0 is outdated and has significant security vulnerabilities.
Upgrading to a newer version, preferably TLS 1.3, is highly recommended.
SSL Version 3
SSLv3 is obsolete and has serious security flaws, including the POODLE vulnerability.
Upgrading to a newer version, preferably TLS 1.3, is highly recommended.
SSL Version 2
SSLv2 is extremely outdated and insecure, with numerous vulnerabilities. Its use is strongly discouraged, and modern systems no longer support it.
Upgrading to a newer version, preferably TLS 1.3, is highly recommended.
Requirements
Architecture
Frontend:
Backend:
Description
Step 1
Install Node.js
Step 2
Clone WebScanPro respository
Step 3
Run npm install
Step 4
Run npm start
Step 5
Open localhost:3000
Hint: if this port is already in use, you can change
app.listen(3000)
in nest-js-server/main.ts
to another port which is not in use.
Step 6
Start scanning your web application and check the results. Have fun!