Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

14.4 section (HTTP Security Headers) rename / find better category-section for "content-type" requirements. #1808

Open
elarlang opened this issue Dec 15, 2023 · 2 comments
Open

14.4 section (HTTP Security Headers) rename / find better category-section for "content-type" requirements. #1808

elarlang opened this issue Dec 15, 2023 · 2 comments
Assignees
@elarlang
Labels
2) Awaiting response Awaiting a response from the original poster V14 V50 Group issues related to Web Frontend _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@elarlang
Copy link
Collaborator

After browser-related requirements are moved away, there will be only 2 requirements left behind (as those are not that browser-specific and are required for other clients as well)

V14.4 HTTP Security Headers

# Description L1 L2 L3 CWE
14.4.1 [MODIFIED, SPLIT TO 14.4.8] Verify that every HTTP response contains a Content-Type header which matches the actual content of the response. 173
14.4.8 [ADDED, SPLIT FROM 14.4.1] Verify that if a response specifies a Content-Type of "text/*", "*/*+xml" and "*/xml", it also specifies a safe character set (e.g., UTF-8, ISO-8859-1) with the charset parameter. 173

Now - the section title is misleading. Also think those requirements should not belong to the Configuration category.
elarlang pushed a commit to elarlang/ASVS that referenced this issue Dec 15, 2023
OWASP#1230 - move browser security related headers to V50.2 (some wer…
2d7c761 
…e left behind, see OWASP#1808).
@elarlang elarlang added the V14 label Dec 15, 2023
tghosth pushed a commit that referenced this issue Dec 21, 2023
@tghosth
#1230 - move browser security related headers to V50.2 (some were lef…
56aac4e 
…t behind, see #1808).
@elarlang
Copy link
Collaborator Author

The change is done now: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x22-V14-Config.md#v144-http-security-headers

Note: the initial idea was to move those (14.4.1 and 14.4.8) requirements to the section "Unintended Content Interpretation": https://github.com/OWASP/ASVS/blob/master/5.0/en/0x50-V50-Web-Frontend-Security.md#v505-unintended-content-interpretation

@tghosth
Copy link
Collaborator

tghosth commented Dec 28, 2023

Ok so I feel like these should not strictly belong to the browser category because they could be relevant to other apps which pull resources via HTTP.

@tghosth tghosth added 2) Awaiting response Awaiting a response from the original poster _5.0 - prep This needs to be addressed to prepare 5.0 V50 Group issues related to Web Frontend labels Jan 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elarlang elarlang

Labels
2) Awaiting response Awaiting a response from the original poster V14 V50 Group issues related to Web Frontend _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tghosth @elarlang