VENOM sample HTTP security response headers test suites.

venom_security_headers_tests_suite.yml

name: HTTP security response headers test suites
# TOOLS
# VENOM HOME: https://github.com/ovh/venom
# VENOM RELEASE: https://github.com/ovh/venom/releases
# VENOM ASSERTION KEYWORDS: https://github.com/ovh/venom#assertion
# REF AND RUN
# REF BASE: https://owasp.org/www-project-secure-headers/
# RUN CMD: venom run --var="target_site=https://righettod.eu" venom_security_headers_tests_suite.yml 
#          venom run --var="target_site=https://righettod.eu" --var="internet_facing=true" venom_security_headers_tests_suite.yml 
#          venom run --var="target_site=https://righettod.eu" --var="internet_facing=true" --var="logout_url=/logout" venom_security_headers_tests_suite.yml 
vars:
  target_site: ""
  logout_url: ""
  internet_facing: false
testcases:
###############################################
## ACTIVE RECOMMENDED HEADERS
###############################################
- name: Strict-Transport-Security
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    #info: Header are {{.result.headers}}
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.strict-transport-security ShouldNotBeNil
    - result.headers.strict-transport-security ShouldContainSubstring "includeSubDomains"
    - result.headers.strict-transport-security ShouldContainSubstring "max-age="
    - result.headers.strict-transport-security ShouldNotContainSubstring "max-age=0"
    - result.headers.strict-transport-security ShouldContainSubstring "preload"
- name: X-Frame-Options
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    #info: Header are {{.result.headers}}
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.x-frame-options ShouldNotBeNil
    - result.headers.x-frame-options ShouldEqual "deny"
- name: X-Content-Type-Options
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    #info: Header are {{.result.headers}}
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.x-content-type-options ShouldNotBeNil
    - result.headers.x-content-type-options ShouldEqual "nosniff"
- name: Content-Security-Policy
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    #info: Header are {{.result.headers}}
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.content-security-policy ShouldNotBeNil
    - result.headers.content-security-policy ShouldNotContainSubstring "unsafe"    
- name: X-Permitted-Cross-Domain-Policies
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    #info: Header are {{.result.headers}}
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.x-permitted-cross-domain-policies ShouldNotBeNil
    - result.headers.x-permitted-cross-domain-policies ShouldEqual "none"
- name: Referrer-Policy
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    #info: Header are {{.result.headers}}
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.referrer-policy ShouldNotBeNil
    - result.headers.referrer-policy ShouldEqual "no-referrer"
- name: Clear-Site-Data
  steps:
  - type: http
    method: GET
    url: {{.target_site}}/{{.logout_url}}
    skip_body: true
    #info: Header are {{.result.headers}}
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.clear-site-data ShouldNotBeNil
    - result.headers.clear-site-data ShouldContainSubstring "cookies"
    - result.headers.clear-site-data ShouldContainSubstring "storage"
- name: Cross-Origin-Embedder-Policy
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    #info: Header are {{.result.headers}}
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.cross-origin-embedder-policy ShouldNotBeNil
    - result.headers.cross-origin-embedder-policy ShouldEqual "require-corp"
- name: Cross-Origin-Opener-Policy
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    #info: Header are {{.result.headers}}
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.cross-origin-opener-policy ShouldNotBeNil
    - result.headers.cross-origin-opener-policy ShouldEqual "same-origin"
- name: Cross-Origin-Resource-Policy
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    #info: Header are {{.result.headers}}
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.cross-origin-resource-policy ShouldNotBeNil
    - result.headers.cross-origin-resource-policy ShouldEqual "same-origin"
###############################################
## DEPRECATED OR ALMOST DEPRECATED HEADERS
###############################################
- name: Feature-Policy
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    info: This header was split into Permissions-Policy and Document-Policy and will be considered deprecated once all impacted features are moved off of feature policy.
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.feature-policy ShouldNotBeNil
    - result.headers.feature-policy ShouldNotContainSubstring "*"
- name: Public-Key-Pins
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    info: This header has been deprecated by all major browsers and is no longer recommended. Avoid using it, and update existing code if possible!
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.public-key-pins ShouldBeNil
- name: Expect-CT
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    info: This header will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.expect-ct ShouldNotBeNil
    - result.headers.expect-ct ShouldContainSubstring "enforce"
    - result.headers.expect-ct ShouldContainSubstring "max-age="
    - result.headers.expect-ct ShouldNotContainSubstring "max-age=0"
- name: X-Xss-Protection
  steps:
  - type: http
    method: GET
    url: {{.target_site}}
    skip_body: true
    info: The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side.
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.x-xss-protection ShouldNotBeNil
    - result.headers.x-xss-protection ShouldEqual "0"
###############################################
## EXTRA TEST FOR INTERNET EXPOSED APP
## CHECK SECURITYHEADERS.COM RATING
###############################################
- name: SecurityHeaders-Rating
  skip: 
    - internet_facing ShouldEqual true
  steps:
  - type: http
    method: GET
    url: https://securityheaders.com/?q={{.target_site}}&hide=on&followRedirects=on
    skip_body: true
    timeout: 20
    assertions:
    - result.statuscode ShouldEqual 200    
    - result.headers.x-grade ShouldNotBeNil
    - result.headers.x-grade ShouldEqual "A"

Execution example in case of a non-internet facing application (last test was skipped):

Execution example in case of a internet facing application (last test was performed):

Live usage example: