; rel=shortlink ## 12 strict-transport-secu… max-age=31536000; includeSubDomains; preload ## 13 content-security-poli… default-src 'self' data: fonts.gstatic.com fonts.googleapis.com cdn.ampproject.org *.ampproje… ## 14 x-frame-options SAMEORIGIN ## 15 referrer-policy no-referrer-when-downgrade ## 16 feature-policy geolocation 'none';midi 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer '… ## 17 x-powered-by <3 ## 18 x-xss-protection 1; mode=block ## 19 x-content-type-options nosniff ## 20 content-encoding gzip ``` ``` r assess_security_headers("https://cran.r-project.org") %>% dplyr::select(-url) %>% gt::gt() ```

header	value	status\_code	message
access-control-allow-origin	NA	WARN	Header not set
content-security-policy	NA	WARN	Header not set
expect-ct	NA	WARN	Header not set
feature-policy	NA	WARN	Header not set
public-key-pins	NA	WARN	Header not set
referrer-policy	NA	WARN	Header not set
server	Apache/2.4.10 (Debian)	NOTE	Server header found
strict-transport-security	NA	WARN	Header not set
x-content-type-options	NA	WARN	Header not set
x-frame-options	NA	WARN	Header not set
x-permitted-cross-domain-policies	NA	WARN	Header not set
x-powered-by	NA	WARN	Header not set
x-xss-protection	NA	WARN	Header not set

Tsk, tsk… ``` r assess_security_headers("https://rud.is/b") %>% dplyr::select(-url) %>% gt::gt() ```

header	value	status\_code	message
access-control-allow-origin	NA	WARN	Header not set
content-security-policy	default-src ‘self’ data: fonts.gstatic.com fonts.googleapis.com cdn.ampproject.org .ampproject.org .w.org w.org wp.com sendpulse.com gravatar.com .wp.com .sendpulse.com .gravatar.com wordpress.com .wordpress.com ; script-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ fonts.gstatic.com fonts.googleapis.com .w.org w.org wp.com cdn.ampproject.org .ampproject.org sendpulse.com gravatar.com .wp.com .sendpulse.com .gravatar.com wordpress.com .wordpress.com; style-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ fonts.gstatic.com fonts.googleapis.com .w.org w.org wp.com .sendpulse.com sendpulse.com .gravatar.com gravatar.com .wp.com cdn.ampproject.org \*.ampproject.org;	OK	NOTE: Policy present but not parse
expect-ct	NA	WARN	Header not set
feature-policy	geolocation ‘none’;midi ‘none’;sync-xhr ‘none’;microphone ‘none’;camera ‘none’;magnetometer ‘none’;gyroscope ‘none’;speaker ‘self’;fullscreen ‘self’;payment ‘none’;	OK	Value present but not verified
public-key-pins	NA	WARN	Header not set
referrer-policy	no-referrer-when-downgrade	OK	Acceptable setting found
server	nginx	NOTE	Server header found
strict-transport-security	max-age=31536000; includeSubDomains; preload	OK	Value present but not evaluated
x-content-type-options	nosniff	OK	Acceptable setting found
x-frame-options	SAMEORIGIN	OK	Acceptable setting found
x-permitted-cross-domain-policies	NA	WARN	Header not set
x-powered-by	\<3	NOTE	X-Powered-By header present
x-xss-protection	1; mode=block	WARN	Required value (‘nosniff’) not present

Looks like I gots some ’splainin to do as well. ``` r hdrs::explain_headers("https://community.rstudio.com/") %>% dplyr::select(header,value, enable, security_reference, recommendations) %>% gt::gt() ```

header	value	enable	security\_reference	recommendations
cache-control	no-cache, no-store	TRUE		Do not store unnecessarily sensitive information in the cache.
connection	keep-alive	FALSE
content-encoding	gzip	TRUE		Another suggested approach is to disable HTTP compression whenever the referrer header indicates a cross-site request, or when the header is not present. This approach allows effective mitigation of the attack without losing functionality, only incurring a performance penalty on affected requests.
content-security-policy	base-uri ‘none’; object-src ‘none’; script-src ‘unsafe-eval’ ‘report-sample’ ; worker-src ‘self’ blob:	TRUE		Read the reference and set according to your case. This is not a easy job.
content-type	text/html; charset=utf-8	TRUE		Properly configure their origin server to provide the correct Content-Type for a given representation.
date	Wed, 06 Mar 2019 12:27:24 GMT	FALSE
referrer-policy	strict-origin-when-cross-origin	NA	NA	NA
server	nginx	TRUE		An origin server SHOULD NOT generate a Server field containing needlessly fine-grained detail and SHOULD limit the addition of subproducts by third parties.
strict-transport-security	max-age=31536000	TRUE		Please at least read this reference: .
vary	Accept-Encoding	FALSE
x-content-type-options	nosniff	TRUE		Always use the only defined value, “nosniff”.
x-discourse-route	list/latest	NA	NA	NA
x-download-options	noopen	NA	NA	NA
x-frame-options	SAMEORIGIN	TRUE		In 2009 and 2010, many browser vendors (\[Microsoft-X-Frame-Options\] and \[Mozilla-X-Frame-Options\]) introduced the use of a non-standard HTTP \[RFC2616\] header field “X-Frame-Options” to protect against clickjacking. Please check here what’s the best option for your case.
x-permitted-cross-domain-policies	none	NA	NA	NA
x-request-id	4535cc47-f085-4bad-80ae-97aa50034956	NA	NA	NA
x-runtime	0.117140	NA	NA	NA
x-xss-protection	1; mode=block	TRUE		Use “X-XSS-Protection: 1; mode=block” whenever is possible (ref. ).

### Reference ``` r data(http_headers) dplyr::glimpse(http_headers) ## Observations: 184 ## Variables: 14 ## $ header_field_name "A-IM", "Accept", "Accept-Additions", "Accept-Charset", "Accept-Datetime", "Accept-Encod… ## $ type_1 "Permanent", "Permanent", "Permanent", "Permanent", "Permanent", "Permanent", "Permanent… ## $ protocol "http", "http", "http", "http", "http", "http", "http", "http", "http", "http", "http", … ## $ status "", "standard", "", "standard", "informational", "standard", "", "standard", "", "standa… ## $ reference "https://tools.ietf.org/html/rfc3229#section-10.5.3", "https://tools.ietf.org/html/rfc72… ## $ type_2 "Request", "Request", "Request", "Request", "Request", "Request", "Request", "Request", … ## $ enable FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, TRUE, TRUE, FALSE, TRUE, FALSE, … ## $ required NA, NA, NA, NA, NA, NA, NA, NA, TRUE, TRUE, NA, TRUE, NA, NA, NA, TRUE, NA, NA, NA, NA, … ## $ https NA, NA, NA, NA, NA, NA, NA, NA, TRUE, TRUE, NA, TRUE, NA, NA, NA, TRUE, NA, NA, NA, NA, … ## $ security_description "", "", "", "", "", "", "", "", "Sometimes an HTTP intermediary might try to detect viru… ## $ security_reference "", "", "", "", "", "", "", "", "https://tools.ietf.org/html/rfc5789#section-5", "https:… ## $ recommendations "", "", "", "", "", "", "", "", "Antivirus software scans for viruses or worms.", "Serve… ## $ cwe "", "", "", "", "", "", "", "", "CWE-509: Replicating Malicious Code (Virus or Worm)", "… ## $ cwe_url "\r", "\r", "\r", "\r", "\r", "\r", "\r", "\r", "https://cwe.mitre.org/data/definitions/… ``` ## hdrs Metrics | Lang | \# Files | (%) | LoC | (%) | Blank lines | (%) | \# Lines | (%) | | :--- | -------: | ---: | --: | --: | ----------: | ---: | -------: | ---: | | R | 11 | 0.92 | 186 | 0.9 | 37 | 0.57 | 85 | 0.63 | | Rmd | 1 | 0.08 | 21 | 0.1 | 28 | 0.43 | 50 | 0.37 | ## Code of Conduct Please note that this project is released with a [Contributor Code of Conduct](CONDUCT.md). By participating in this project you agree to abide by its terms.