This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Secure Headers Project"
(→Road Map and Getting Involved) |
|||
Line 87: | Line 87: | ||
= Road Map and Getting Involved = | = Road Map and Getting Involved = | ||
− | |||
− | Secure Headers intends to raise awareness and usage of headers sent by the server that can increase security. We'll aim to bring this about by: | + | '''2016 Priorities''' |
+ | |||
+ | OWASP Secure Headers Project intends to raise awareness and usage of headers sent by the server that can increase security. We'll aim to bring this about by: | ||
1. Producing open source, easily implemented, well documented code libraries that enable these headers for a variety of platforms. We'll prioritize creating and publicizing Node.JS, PHP, Ruby, and Java, but will eventually reach out towards edge cases like Go, Python and others. The key is to make this accessible as possible to developers. | 1. Producing open source, easily implemented, well documented code libraries that enable these headers for a variety of platforms. We'll prioritize creating and publicizing Node.JS, PHP, Ruby, and Java, but will eventually reach out towards edge cases like Go, Python and others. The key is to make this accessible as possible to developers. | ||
− | 2. Creating | + | 2. Creating secure best practices implementations including how to set properly secure headers on the most common platforms (eg. Apache, NGINX, IIS, etc.). |
− | 3. | + | 3. Improve constantly hsecscan tool to detect bad practices and provide link to the best practices above. |
+ | 4. Perform public to scan websites using hsecscan and view stats regarding these headers. Automated scanning of the top 1m sites on the web; filtering of said sites to view stats across industries and countries; published database dumps for public consumption/tools; scanning of individual sites; comparing multiple scanned sites. | ||
− | Involvement in the development and promotion of Secure Headers is actively encouraged! | + | 5. Consistent reports regarding this secure headers, their usage, any changes to existing headers. |
+ | |||
+ | Involvement in the development and promotion of OWASP Secure Headers Project is actively encouraged! | ||
You do not have to be a security expert in order to contribute. | You do not have to be a security expert in order to contribute. | ||
− | + | If you want to help send an email to [email protected]. | |
− | |||
− | |||
− | |||
Revision as of 13:23, 15 December 2015
- What is HTTP header?
- HTTP header fields are components of the header section of request and response messages in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction.
- Is there a standard for HTTP headers?
- A core set of fields is standardized by the Internet Engineering Task Force (IETF) in RFCs 7230, 7231, 7232, 7233, 7234, and 7235. The permanent registry of header fields and repository of provisional registrations are maintained by the IANA. Additional field names and permissible values may be defined by each application. Non-standard header fields were conventionally marked by prefixing the field name with X- but this convention was deprecated in June 2012 because of the inconveniences it caused when non-standard fields became standard. An earlier restriction on use of Downgraded- was lifted in March 2013.
Contributors
OWASP Secure Headers Project is developed by a worldwide team of volunteers. The primary contributors to date have been:
- Ricardo Iramar
- Jim Manico
2016 Priorities
OWASP Secure Headers Project intends to raise awareness and usage of headers sent by the server that can increase security. We'll aim to bring this about by:
1. Producing open source, easily implemented, well documented code libraries that enable these headers for a variety of platforms. We'll prioritize creating and publicizing Node.JS, PHP, Ruby, and Java, but will eventually reach out towards edge cases like Go, Python and others. The key is to make this accessible as possible to developers.
2. Creating secure best practices implementations including how to set properly secure headers on the most common platforms (eg. Apache, NGINX, IIS, etc.).
3. Improve constantly hsecscan tool to detect bad practices and provide link to the best practices above.
4. Perform public to scan websites using hsecscan and view stats regarding these headers. Automated scanning of the top 1m sites on the web; filtering of said sites to view stats across industries and countries; published database dumps for public consumption/tools; scanning of individual sites; comparing multiple scanned sites.
5. Consistent reports regarding this secure headers, their usage, any changes to existing headers.
Involvement in the development and promotion of OWASP Secure Headers Project is actively encouraged! You do not have to be a security expert in order to contribute. If you want to help send an email to [email protected].