vulnerability report about hunchentoot HOT 9 OPEN

(defparameter *csp-header*  "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'none'")


(easy-routes:defroute main ("/" :method :get) ()
  (let ((html (page-root)))
;Generar el HTML utilizando la función table-list*
    (setf (hunchentoot:content-type*) "text/html")
    (setf (hunchentoot:header-out "Content-Security-Policy") *csp-header*)

    (format nil "~a" html)))

all CSP

from hunchentoot.

I am not aware of anyone having done a vulnerability report on Hunchentoot. I'm not even sure what a vulnerability report means in this context, honestly.

from hunchentoot.

I think hunchentoot is to plain just a HTTP server to have much of vulnerabilities.
Many vulnerabilities come from applications on top of HTTP.
Like Cross Site Scripting issues, SNI issues, etc.

from hunchentoot.

@gassechen No entity is providing a vulnerability report for Hunchentoot. The software is community maintained, and there are no formal security reporting and fix channels in place. If ISO/IEC 12207:2008 compliance is required by your organization, you need to prepare yourself to have the required audits be performed by an appropriate third party.

Sadly, the non-functional and non-technical requirements that are imposed by security related compliance frameworks and standards make using niche languages and ecosystems in organizations that use such frameworks difficult. If your project is important enough, you may be able to discuss with your security department what precisely is required by them. Be prepared to provide them with a good description of your project and with a risk assessment that you did on your own. Depending on their workload and their flexibility, they may be willing and able to accommodate you, even though you are not able being back yourself with what would be available with more popular language environments.

from hunchentoot.

I understand. Thanks, I'm going to use this software https://www.zaproxy.org/ and a bash script to automate the scanning and detection of vulnerabilities and I hope it's enough for the security department, so I can continue using common lisp

from hunchentoot.

from hunchentoot.

from hunchentoot.

Response headers can be added as needed. There are tons that PEN testers might suggest to add to prevent some form of attack or exploitation. But this also happens on state-of-the-art Java or other HTTP servers. They don't by default add all the response headers.

from hunchentoot.

Thank you. These are the results that this software gave me. Should I make an application in hunchentoot with the GET POST PUT and DELETE verbs to check for more vulnerability suggestions? See how I add the headers in hunchentoot?

from hunchentoot.