Added [SecurityHeaders] badge (#3958)

* Added security headers service. * Small improvements from provided feedback. * Fixed failing tests. * Removed grade condition on render method. * Changed protocol and path from pattern to querystring
2019-09-11 02:54:49 +01:00
parent e755e61203
commit fa0a25cf0a
2 changed files with 100 additions and 0 deletions
--- a/services/security-headers/security-headers.service.js
+++ b/services/security-headers/security-headers.service.js
@@ -0,0 +1,93 @@
+'use strict'
+
+const Joi = require('@hapi/joi')
+const { optionalUrl } = require('../validators')
+const { BaseService, NotFound } = require('..')
+
+const queryParamSchema = Joi.object({
+  url: optionalUrl.required(),
+}).required()
+
+const documentation = `
+<p>
+  The <a href="https://securityheaders.com/">Security Headers</a>
+  provide an easy mechanism to analyze HTTP response headers and
+  give information on how to deploy missing headers.
+</p>
+</p>
+  The scan result will be hidden from the public result list and follow redirects will be on too.
+<p>
+`
+
+module.exports = class SecurityHeaders extends BaseService {
+  static get category() {
+    return 'monitoring'
+  }
+
+  static get route() {
+    return {
+      base: '',
+      pattern: 'security-headers',
+      queryParamSchema,
+    }
+  }
+
+  static get examples() {
+    return [
+      {
+        title: 'Security Headers',
+        namedParams: {},
+        queryParams: { url: 'https://shields.io' },
+        staticPreview: this.render({
+          grade: 'A+',
+        }),
+        documentation,
+      },
+    ]
+  }
+
+  static get defaultBadgeData() {
+    return {
+      label: 'security headers',
+    }
+  }
+
+  static render({ grade }) {
+    const colorMap = {
+      'A+': 'brightgreen',
+      A: 'green',
+      B: 'yellow',
+      C: 'yellow',
+      D: 'orange',
+      E: 'orange',
+      F: 'red',
+    }
+
+    return {
+      message: grade,
+      color: colorMap[grade],
+    }
+  }
+
+  async handle({}, { url }) {
+    const { res } = await this._request({
+      url: `https://securityheaders.com`,
+      options: {
+        method: 'HEAD',
+        qs: {
+          q: url,
+          hide: 'on',
+          followRedirects: 'on',
+        },
+      },
+    })
+
+    const grade = res.headers['x-grade']
+
+    if (!grade) {
+      throw new NotFound({ prettyMessage: 'not available' })
+    }
+
+    return this.constructor.render({ grade })
+  }
+}
--- a/services/security-headers/security-headers.tester.js
+++ b/services/security-headers/security-headers.tester.js
@@ -0,0 +1,7 @@
+'use strict'
+
+const t = (module.exports = require('../tester').createServiceTester())
+
+t.create('grade of http://shields.io')
+  .get('/security-headers.json?url=https://shields.io')
+  .expectBadge({ label: 'security headers', message: 'F', color: 'red' })