Comments (9)
(defparameter *csp-header* "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'none'")
(easy-routes:defroute main ("/" :method :get) ()
(let ((html (page-root)))
;Generar el HTML utilizando la función table-list*
(setf (hunchentoot:content-type*) "text/html")
(setf (hunchentoot:header-out "Content-Security-Policy") *csp-header*)
(format nil "~a" html)))
all CSP
from hunchentoot.
I am not aware of anyone having done a vulnerability report on Hunchentoot. I'm not even sure what a vulnerability report means in this context, honestly.
from hunchentoot.
I think hunchentoot is to plain just a HTTP server to have much of vulnerabilities.
Many vulnerabilities come from applications on top of HTTP.
Like Cross Site Scripting issues, SNI issues, etc.
from hunchentoot.
@gassechen No entity is providing a vulnerability report for Hunchentoot. The software is community maintained, and there are no formal security reporting and fix channels in place. If ISO/IEC 12207:2008 compliance is required by your organization, you need to prepare yourself to have the required audits be performed by an appropriate third party.
Sadly, the non-functional and non-technical requirements that are imposed by security related compliance frameworks and standards make using niche languages and ecosystems in organizations that use such frameworks difficult. If your project is important enough, you may be able to discuss with your security department what precisely is required by them. Be prepared to provide them with a good description of your project and with a risk assessment that you did on your own. Depending on their workload and their flexibility, they may be willing and able to accommodate you, even though you are not able being back yourself with what would be available with more popular language environments.
from hunchentoot.
I understand. Thanks, I'm going to use this software https://www.zaproxy.org/ and a bash script to automate the scanning and detection of vulnerabilities and I hope it's enough for the security department, so I can continue using common lisp
from hunchentoot.
from hunchentoot.
from hunchentoot.
Response headers can be added as needed. There are tons that PEN testers might suggest to add to prevent some form of attack or exploitation. But this also happens on state-of-the-art Java or other HTTP servers. They don't by default add all the response headers.
from hunchentoot.
Thank you. These are the results that this software gave me. Should I make an application in hunchentoot with the GET POST PUT and DELETE verbs to check for more vulnerability suggestions? See how I add the headers in hunchentoot?
from hunchentoot.
Related Issues (20)
- How do I make hunchentoot refresh the static files? HOT 2
- Incorrect redirection to HTTP when application is served using HTTPS reverse proxy HOT 1
- cannot use sbcl install HOT 5
- N/A
- hunchentoot:handle-static-file HOT 4
- Hunchentot intermittently returns HTTP 304 / HTTP 200 on HTTP HEAD HOT 1
- Don't REMOVE-SESSION when a "fake session identifier" is detected.
- INITIALIZE-INSTANCE (SSL-ACCEPTOR) should not take TRUENAME of cert-files HOT 2
- 404 Not Found HOT 1
- running tests with different users causes failing tests
- Usage of SO_REUSEADDR is confusing on Windows and might pose a security issue
- reverse proxy
- Error in wake-for-shutdown HOT 1
- SameSite cookie attribute? HOT 2
- JavaScript module file xxx.mjs has no content-type definition when serving static files
- Cipher Suite negotiation failure in LW8 / ssl-ctx is not initialized HOT 6
- easy-handler errors out when raw bytes are passed as URL parameters HOT 1
- docs reference clbuild HOT 3
- Implement set-timeouts for clasp HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hunchentoot.