WSTG-CONF-14

[websecnl]

This PR fixes #1172.

• This PR handles the issue and requires no additional PRs.
• You have validated the need for this change.

What did this PR accomplish?

Added WSTG-CONF-14 which covers Misconfiguration in HTTP Security Headers, mainly the following:

• Security Header with a Empty Value
• Security Header with an invalid value or name (Typos)
• Overpermissive Security Headers (Allow-Credentials, *)
• Duplicate Security Headers
• Legacy Security Headers (which are no longer supported such as HPKP)

[kingthorin]

Is it worth adding a note about META tag handling/mistakes? What about duplicate or invalid directives within the header value(s)? (Ex: In CSP, etc)

[websecnl]

Is it worth adding a note about META tag handling/mistakes? What about duplicate or invalid directives within the header value(s)? (Ex: In CSP, etc)

As for invalid directives this has already been added.

Aren't META-tags not really related to Headers, please correct me if i'm wrong?

[kingthorin]

There are a number of headers or header behaviours that can be implemented as http-equiv meta tags. Similarly there are some headers/directives that specifically cannot be used in metas.

That being said now that you have me writing this I think we have another section in info leaks via metas so it could also be mentioned there.

[websecnl]

That being said now that you have me writing this I think we have another section in info leaks via metas so it could also be mentioned there.

Ah the meta http-equiv , Gotcha.
No, I think you are right and these should be mentioned in this.

I will update the text and give you another message once i wrote about it, this makes sense.

Thanks for mentioning it!

[kingthorin]

Okay all the linting etc is finally fixed. Thanks lease make sure I don’t accidentally remove any content (I had dropped a paragraph at one point , though I think that was an issue with GitHub parsing suggestions that contain code blocks).