diff --git a/assets/misc/demo_csp_usefulness_in_api_context.mp4 b/assets/misc/demo_csp_usefulness_in_api_context.mp4 new file mode 100644 index 0000000..6d665e9 Binary files /dev/null and b/assets/misc/demo_csp_usefulness_in_api_context.mp4 differ diff --git a/ci/monitoring_oshp_site_references.py b/ci/monitoring_oshp_site_references.py index 5b9f9f7..a9a8f54 100644 --- a/ci/monitoring_oshp_site_references.py +++ b/ci/monitoring_oshp_site_references.py @@ -37,7 +37,7 @@ def verify_mention(site_url): break # If mention is not detected then try to check if it's an SPA if oshp_is_mentioned == "NO": - expr = r'(app|index|main)(\.|-)[a-zA-Z0-9_]+\.js' + expr = r'(app|index|main)(\.|-)[a-zA-Z0-9_\-]+\.js' bundles = re.findall(expr, content) if len(bundles) > 0 or "React" in content: oshp_is_mentioned = "SPA" diff --git a/index.md b/index.md index ab1aff4..74a0e77 100644 --- a/index.md +++ b/index.md @@ -13,8 +13,6 @@ pitch: Provides technical information about HTTP security headers. ## Introduction -> ⚠️ We are currently experiencing a rendering issue **on Firefox** (see [here](https://github.com/OWASP/www-project-secure-headers/issues/251) for details and follow-up information). Therefore, please temporarily use **a Chromium-based browser** to view the site. - ![OSHP Logo](assets/images/oshp_logo.png) [![OWASP Production](https://img.shields.io/badge/owasp-production%20project-800080.svg)](https://www.owasp.org/projects) diff --git a/tab_bestpractices.md b/tab_bestpractices.md index 04ef802..9163437 100644 --- a/tab_bestpractices.md +++ b/tab_bestpractices.md @@ -27,7 +27,9 @@ The following section proposes a configuration for the [actively supported and w 💡 Additional information about HTTP security headers on [OpenCRE](https://opencre.org/cre/636-347?name=OWASP+Secure+Headers+Project§ion=configuration&link=https%3A%2F%2Fowasp.org%2Fwww-project-secure-headers%2F%23div-bestpractices). -📖 The headers proposed below can be applied both in the context of a *classic web application* and in that of a *web API*. +📖 The headers proposed below can be applied both in the context of a *classic web application* and in that of a *web API*: + +* This [demonstration video](assets/misc/demo_csp_usefulness_in_api_context.mp4) as well as this [blog post](https://treblle.com/blog/api-escaping-output-importance) show how HTTP response security headers, like the `Content-Security-Policy` one, can be useful in the context of a web API. 🚩 Regarding the header `Content-Security-Policy`, keep in mind that the policy applicability depends on the execution context. Technical details are available [here](https://www.w3.org/TR/CSP2/#which-policy-applies). Therefore, CSP usage in a web API application implies to **define the CSP in the document consuming the content of the web API**.