Skip to content

Latest commit

 

History

History
110 lines (67 loc) · 7.24 KB

index.md

File metadata and controls

110 lines (67 loc) · 7.24 KB
title level url type layout tags pitch
OWASP Secure Headers Project
3
documentation
col-sidebar
headers
Provides technical information about HTTP security headers.
<script crossorigin="anonymous" type="application/javascript" src="assets/js/direct-link-handler.js"></script>

Introduction

OWASP Production External Links Validity Check Update headers reference JSON files Update monitoring technical references dashboard Perform_monitoring_oshp_site_references

🎯 The OWASP Secure Headers Project (also called OSHP) describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.

🤔 HTTP headers are well known and also despised. Seeking a balance between usability and security, developers implement functionality through the headers that can make applications more versatile or secure. But in practice how are the headers being implemented? What sites follow the best implementation practices? Big companies, small, all or none?

Description

📚 The OWASP Secure Headers Project aim to provide elements about the following aspects regarding HTTP security headers:

  • Guidance about the recommended HTTP security headers that can be leveraged.
  • Guidance about the HTTP headers that should be removed.
  • Tools to validate an HTTP security header configuration.
  • Code libraries that can be leveraged to configure recommended HTTP security headers.
  • Statistics about usage of the recommended HTTP security headers.

🏭 All the tools provided by the OSHP are gathered under this GitHub organization.

📺 A presentation of the project is available on the following locations:

Migration

🌎 The OWASP Secure Headers Project was migrated from the old website to the GitHub OWASP organization.

📦 The following projects are now archived, they are initiatives that are now replaced by new projects:

Security headers usage statistics

📈 We provide statistics, updated every month, about HTTP response security headers usage mentioned by the OWASP Secure Headers Project:

Security headers usage validator

✅ We provide a venom tests suite to validate an HTTP security response header configuration against OWASP Secure Headers Project recommendation:

🧪 We also provide a online mock endpoint returning an HTTP response, for which, all HTTP response headers recommended by the OSHP will be set:

  • It is automatically deployed on https://oshp-validator-mock.onrender.com
  • Technical details about this endpoint are here.

Security headers reference files

📖 As mentioned in previous sections, we provide the collection of HTTP response security headers to add as well as HTTP response headers to remove, both in table form.

💡 Additionally, we provide this information as two JSON files to enable automation in the context of a provisioning workflow:

📡 These json files are automatically updated.

Technical references health dashboard

📍 We automatically generate and monitor this dashboard to identify any dead project referenced in the Technical Resources tab.

Discussions, information and roadmap

💬 We use the GitHub discussions feature for discussions about the project as well as spreading global information about it.

👩‍💻 The work on the OSHP projects and associated components is tracked using the GitHub project feature.

Notification of update

📡 This atom web feed can be used to be notified when an update is pushed on the OSHP website's repository.

Create a link to the OSHP site

📖 This is documented into the Case Studies tab.

Contributors

💌 Contributors to OSHP, before the migration of the project to GitHub:

💌 Visit this page for updated information about the contributors since the migration of the project to GitHub.

Licensing

📑 This project content is free to use. It is licensed under the Apache 2.0 License.