I did a light scan of my filerun site with this tool: https://pentest-tools.com/ And got these warning, happy to see that there were to critical findings :-) Is this something that can/will be adressed in future updates? (tried to clean up the output and make it readable here)
Missing security header: Content-Security-Policy
Response headers do not include the HTTP Content-Security-Policy security header
The Content-Security-Policy (CSP) header activates a protection mechanism implemented in web browsers which prevents exploitation of Cross-Site Scripting vulnerabilities (XSS). If the target application is vulnerable to XSS, lack of this header makes it easily exploitable by attackers.
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the application. Read more about CSP: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Missing security header: X-Frame-Options
Response headers do not include the HTTP X-Frame-Options security header
Because the `X-Frame-Options` header is not sent by the server, an attacker could embed this website into an iframe of a third party website. By manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the application, thus performing activities without user's consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking attack and it is described in detail here: https://owasp.org/www-community/attacks/Clickjacking
We recommend you to add the `X-Frame-Options` HTTP header with the values `DENY` or `SAMEORIGIN` to every page that you want to be protected against Clickjacking attacks. More information about this issue: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
Missing security header: X-XSS-Protection
Response headers do not include the HTTP X-XSS-Protection security header
The `X-XSS-Protection` HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS) attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.
We recommend setting the X-XSS-Protection header to `X-XSS-Protection: 1; mode=block`. More information about this issue: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Missing security header: X-Content-Type-Options
Response headers do not include the X-Content-Type-Options HTTP security header
The HTTP header `X-Content-Type-Options` is addressed to the Internet Explorer browser and prevents it from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as Cross-Site Scripting or phishing.
We recommend setting the X-Content-Type-Options header such as `X-Content-Type-Options: nosniff`. More information about this issue: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options.
Missing security header: Referrer-Policy
Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name 'referrer' is not present in the response.
The Referrer-Policy HTTP header controls how much referrer information the browser will send with each request originated from the current web application. For instance, if a user visits the web page "http://example.com/pricing/" and it clicks on a link from that page going to e.g. "https://www.google.com", the browser will send to Google the full originating URL in the `Referer` header, assuming the Referrer-Policy header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value `no-referrer` of this header instructs the browser to omit the Referer header entirely. Read more: https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns
Server software and technology found
SOFTWARE / VERSION CATEGORY
OpenResty Web servers
Nginx Web servers, Reverse proxies
An attacker could use this information to mount specific attacks against the identified software type and version.
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc. More information about this issue: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server.html.
Security.txt file is missing
We have detected that the server is missing the security.txt file. There is no particular risk in not creating a valid Security.txt file for your server. However, this file is important because it offers a designated channel for reporting vulnerabilities and security issues.
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security issues they find, improving the defensive mechanisms of your server. More information about the security.txt standard: https://securitytxt.org/
Customer support service by UserEcho