Venom test suites to validate an HTTP security response headers configuration against OSHP recommendation.
🎯 The objective is to provide a way to validate the configuration of non-Internet exposed applications in a flexible/portable way.
💡 You can use the provided test suites, as a foundation, to tailor it to your context.
📑 Syntax for the test suitesfile is validated using this yamllint configuration file.
🤔 We chose to leverage this tool for the following reasons:
- It is free and open source.
- It does not need any installation: Standalone binary file provided but you can easily compile it if you want a full control over the binary executed.
- It is cross-platform.
- It uses a descriptive approach for a tests suite and, then, do not need any code (or coding skills) to add/update a test.
Note: This tests suite is always synchronized with the latest OSHP recommendation.
📋 It is provided via this single file.
💻 Visual Studio Code is used for the tests suite development. A Visual Studio Code workspace file is provided for the project with recommended extensions.
📐 The following parameters are supported:
| Parameter name | Description | Default value | Mandatory |
|---|---|---|---|
| target_site | URL of the site for which the headers configuration must be tested. | "" | Yes |
| internet_facing | Boolean to specify if the tested app is currently reachable from Internet and then can be tested with the securityheaders.com online tools. | false | No |
| logout_url | Relative path to the logout endpoint of the app. Use to test the configuration of the header "Clear-Site-Data". | "" | No |
| request_timeout_in_seconds | Maximum waiting time in seconds for response from the target app. | 20 | No |
💻 Follow the steps below.
- Get a release of venom for your platform.
- Run one the following commands corresponding to your context:
# Using default values for "internet_facing" and "logout_url" parameters
$ venom run --var="target_site=https://mysite.com" tests_suite.yml
# Using parameter to include the results from "securityheaders.com" online tools
$ venom run --var="target_site=https://mysite.com" --var="internet_facing=true" tests_suite.yml
# Using parameter to specify the logout page for the test of the header "Clear-Site-Data"
$ venom run --var="target_site=https://mysite.com" --var="logout_url=/logout" tests_suite.yml 👁️🗨️ Live usage example:
💡 Hints:
Venom returns a code different from zero when a test fail or when you try an update and your version is the latest one. Therefore, to prevent your script to fail then add || true at the end of your command.
This section of the venom documentation describes the different formats supported for the integration in a CI/CD platform.
The python script test_suite_mock.py provides a mock endpoint returning an HTTP response, for which, all HTTP response headers recommended by the OSHP will be set.
📦 It is automatically deployed on https://oshp-validator-mock.onrender.com and it is used, by this CI workflow, to test the venom tests suite.