WORK IN PROGRESS: wpcheck module to scan for common security headers

security-header.js

/**
 * wpcheck module security-header.js
 * Scan WordPress URL for common security headers
 */


/**
 * Required modules
 */

const request = require( 'request' ).defaults( { followRedirect: false } )
const fs = require( '../fs' )
const log = require( '../log' )


/**
 * Initiator method
 *
 * @param   {Object}  data  Data object with request values
 * @return  void
 */

exports.fire = ( data ) => {

    const { wpURL, siteURL, userAgent, silentMode } = data

    const filterName = fs.fileName( __filename, '.js' )

    const logObj = { silentMode, filterName }

    const targetURL = `${wpURL}`

    request( {
        'url': targetURL,
        'method': 'GET',
        'headers': { 'User-Agent': userAgent }
    }, ( error, response, body, headers ) => {

        const XSS    = response.caseless.get('x-xss-protection');
        const Server = response.caseless.get('Server');
        const SNIFF  = response.caseless.get('X-Content-Type-Options');
        const LM     = response.caseless.get('Last-Modified');

        if ( error || response.statusCode === 404 ) {
            return log.info( `${targetURL} is not found`, logObj )
        }

        if ( response.caseless.get('X-XSS-Protection') === '1; mode=block' ) {
            log.ok( `${siteURL} has XSS Protection turned on`, logObj )
        } else {
            log.warn( `${siteURL} has XSS Protection turned off`, logObj )
        }

        log.info( XSS, logObj )
        log.info( SNIFF, logObj )
        log.info( LM, logObj )
        log.ok( Server, logObj )

    } )
}