akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

chore: clean .gitignore cache

Browse Source
This commit is contained in:
GitHub Actions
2026-01-26 19:21:33 +00:00
parent 1b1b3a70b1
commit e5f0fec5db
1483 changed files with 0 additions and 472793 deletions
Download Patch File Download Diff File Expand all files Collapse all files

376
docs/reports/HTTP_HEADER_SCAN.md
View File

@@ -1,376 +0,0 @@
Basic Header:
Scoring:
C 55/100
Content Security Policy (CSP)
25 Failed
Content Security Policy (CSP) header not implemented
Implement one, see MDN's Content Security Policy (CSP) documentation.
Cookies -
No cookies detected
None
Cross Origin Resource Sharing (CORS)
0 Passed
Content is not visible via cross-origin resource sharing (CORS) files or headers.
None
Redirection
20 Failed
Redirects, but final destination is not an HTTPS URL.
Redirect to the same host on HTTPS first, then redirect to the final host on HTTPS.
Referrer Policy
0* Passed
Referrer-Policy header set to no-referrer, same-origin, strict-origin or strict-origin-when-cross-origin.
None
Strict Transport Security (HSTS)
0 Passed
Strict-Transport-Security header set to a minimum of six months (15768000).
Consider preloading: this requires adding the preload and includeSubDomains directives and setting max-age to at least 31536000 (1 year), and submitting your site to <https://hstspreload.org/>.
Subresource Integrity -
Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin.
Add SRI for bonus points.
X-Content-Type-Options
0 Passed
X-Content-Type-Options header set to nosniff.
None
X-Frame-Options
0* Passed
X-Frame-Options (XFO) header set to SAMEORIGIN or DENY.
None
Cross Origin Resource Policy -
Cross Origin Resource Policy (CORP) is not implemented (defaults to cross-origin).
None
CSP analysis:
No CSP headers detected
Raw Server Headers:
Header Value
Via 1.1 Caddy
Date Thu, 18 Dec 2025 16:25:00 GMT
Vary Accept-Encoding
Pragma no-cache
Server Kestrel
Alt-Svc h3=":443"; ma=2592000
Expires -1
Connection close
Content-Type text/html
Cache-Control no-cache, no-store
Referrer-Policy strict-origin-when-cross-origin
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block
Transfer-Encoding chunked
X-Content-Type-Options nosniff
Strict-Transport-Security max-age=31536000; includeSubDomains
Strict Header:
Scoring:
B+ 80/100
Content Security Policy (CSP)
0 Passed
Content Security Policy (CSP) implemented with unsafe sources inside style-src. This includes 'unsafe-inline', data: or overly broad sources such as https. 'form-action' is set to 'self', 'none' or 'specific source'
Lock down style-src directive, removing 'unsafe-inline', data: and broad sources.
Cookies -
No cookies detected
None
Cross Origin Resource Sharing (CORS)
0 Passed
Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains.
None
Redirection
20 Failed
Does not redirect to an HTTPS site.
Redirect to the same host on HTTPS first, then redirect to the final host on HTTPS.
Referrer Policy
0* Passed
Referrer-Policy header set to no-referrer, same-origin, strict-origin or strict-origin-when-cross-origin.
None
Strict Transport Security (HSTS)
0 Passed
Strict-Transport-Security header set to a minimum of six months (15768000).
Consider preloading: this requires adding the preload and includeSubDomains directives and setting max-age to at least 31536000 (1 year), and submitting your site to <https://hstspreload.org/>.
Subresource Integrity -
Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin.
Add SRI for bonus points.
X-Content-Type-Options
0 Passed
X-Content-Type-Options header set to nosniff.
None
X-Frame-Options
0* Passed
X-Frame-Options (XFO) header set to SAMEORIGIN or DENY.
None
Cross Origin Resource Policy
0* Passed
Cross Origin Resource Policy (CORP) implemented, prevents leaks into cross-origin contexts.
None
CSP analysis:
Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src
Passed
Blocking the execution of inline JavaScript provides CSP's strongest protection against cross-site scripting attacks. Moving JavaScript to external files can also help make your site more maintainable.
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src
Passed
Blocking the use of JavaScript's eval() function can help prevent the execution of untrusted code.
Blocks execution of plug-ins, using object-src restrictions
Passed
Blocking the execution of plug-ins via object-src 'none' or as inherited from default-src can prevent attackers from loading Flash or Java in the context of your page.
Blocks inline styles by not allowing 'unsafe-inline' inside style-src
Failed
Blocking inline styles can help prevent attackers from modifying the contents or appearance of your page. Moving styles to external stylesheets can also help make your site more maintainable.
Blocks loading of active content over HTTP or FTP
Passed
Loading JavaScript or plugins can allow a man-in-the-middle to execute arbitrary code or your website. Restricting your policy and changing links to HTTPS can help prevent this.
Blocks loading of passive content over HTTP or FTP
Passed
This site's Content Security Policy allows the loading of passive content such as images or videos over insecure protocols such as HTTP or FTP. Consider changing them to load them over HTTPS.
Clickjacking protection, using frame-ancestors
Failed
The use of CSP's frame-ancestors directive offers fine-grained control over who can frame your site.
Deny by default, using default-src 'none'
Failed
Denying by default using default-src 'none'can ensure that your Content Security Policy doesn't allow the loading of resources you didn't intend to allow.
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins.
Failed
The <base> tag can be used to trick your site into loading scripts from untrusted origins.
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs
Failed
Malicious JavaScript or content injection could modify where sensitive form data is submitted to or create additional forms for data exfiltration.
Uses CSP3's 'strict-dynamic' directive to allow dynamic script loading (optional)
-
'strict-dynamic' lets you use a JavaScript shim loader to load all your site's JavaScript dynamically, without having to track script-src origins.
Raw server headers:
Header Value
Via 1.1 Caddy
Date Thu, 18 Dec 2025 16:11:11 GMT
Vary Accept-Encoding
Server waitress
Alt-Svc h3=":443"; ma=2592000
Connection close
Content-Type text/html; charset=utf-8
Content-Length 815
Referrer-Policy strict-origin-when-cross-origin
X-Frame-Options DENY
X-Xss-Protection 1; mode=block
Permissions-Policy camera=(), microphone=(), geolocation=()
X-Content-Type-Options nosniff
Content-Security-Policy script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-src 'none'; object-src 'none'; default-src 'self'
Strict-Transport-Security max-age=31536000; includeSubDomains
Cross-Origin-Opener-Policy same-origin
Access-Control-Allow-Origin *
Cross-Origin-Resource-Policy same-origin
Paranoid Header:
Scoring:
B+ 80/100
Content Security Policy (CSP)
0* Passed
Content Security Policy (CSP) implemented with default-src 'none', no 'unsafe' and form-action is set to 'none' or 'self'
None
Cookies -
No cookies detected
None
Cross Origin Resource Sharing (CORS)
0 Passed
Content is not visible via cross-origin resource sharing (CORS) files or headers.
None
Redirection
20 Failed
Redirects, but final destination is not an HTTPS URL.
Redirect to the same host on HTTPS first, then redirect to the final host on HTTPS.
Referrer Policy
0* Passed
Referrer-Policy header set to no-referrer, same-origin, strict-origin or strict-origin-when-cross-origin.
None
Strict Transport Security (HSTS)
0 Passed
Strict-Transport-Security header set to a minimum of six months (15768000).
Consider preloading: this requires adding the preload and includeSubDomains directives and setting max-age to at least 31536000 (1 year), and submitting your site to <https://hstspreload.org/>.
Subresource Integrity -
Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin.
Add SRI for bonus points.
X-Content-Type-Options
0 Passed
X-Content-Type-Options header set to nosniff.
None
X-Frame-Options
0* Passed
X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive.
None
Cross Origin Resource Policy
0* Passed
Cross Origin Resource Policy (CORP) implemented, prevents leaks into cross-origin contexts.
None
CSP analysis:
Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src
Passed
Blocking the execution of inline JavaScript provides CSP's strongest protection against cross-site scripting attacks. Moving JavaScript to external files can also help make your site more maintainable.
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src
Passed
Blocking the use of JavaScript's eval() function can help prevent the execution of untrusted code.
Blocks execution of plug-ins, using object-src restrictions
Passed
Blocking the execution of plug-ins via object-src 'none' or as inherited from default-src can prevent attackers from loading Flash or Java in the context of your page.
Blocks inline styles by not allowing 'unsafe-inline' inside style-src
Passed
Blocking inline styles can help prevent attackers from modifying the contents or appearance of your page. Moving styles to external stylesheets can also help make your site more maintainable.
Blocks loading of active content over HTTP or FTP
Passed
Loading JavaScript or plugins can allow a man-in-the-middle to execute arbitrary code or your website. Restricting your policy and changing links to HTTPS can help prevent this.
Blocks loading of passive content over HTTP or FTP
Passed
This site's Content Security Policy allows the loading of passive content such as images or videos over insecure protocols such as HTTP or FTP. Consider changing them to load them over HTTPS.
Clickjacking protection, using frame-ancestors
Passed
The use of CSP's frame-ancestors directive offers fine-grained control over who can frame your site.
Deny by default, using default-src 'none'
Passed
Denying by default using default-src 'none'can ensure that your Content Security Policy doesn't allow the loading of resources you didn't intend to allow.
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins.
Passed
The <base> tag can be used to trick your site into loading scripts from untrusted origins.
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs
Passed
Malicious JavaScript or content injection could modify where sensitive form data is submitted to or create additional forms for data exfiltration.
Uses CSP3's 'strict-dynamic' directive to allow dynamic script loading (optional)
-
'strict-dynamic' lets you use a JavaScript shim loader to load all your site's JavaScript dynamically, without having to track script-src origins.
Raw server headers:
Via 1.1 Caddy
Date Thu, 18 Dec 2025 16:27:58 GMT
Vary Accept-Encoding
Pragma no-cache
Server Kestrel
Alt-Svc h3=":443"; ma=2592000
Expires -1
Connection close
Content-Type text/html
Cache-Control no-store, no-cache, no-store
Referrer-Policy no-referrer
X-Frame-Options DENY
X-Xss-Protection 1; mode=block
Transfer-Encoding chunked
Permissions-Policy camera=(), microphone=(), geolocation=(), payment=(), usb=()
X-Content-Type-Options nosniff
Content-Security-Policy img-src 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'none'; default-src 'none'; font-src 'self'; frame-src 'none'; object-src 'none'; base-uri 'self'; script-src 'self'; style-src 'self'
Strict-Transport-Security max-age=31536000; includeSubDomains
Cross-Origin-Opener-Policy same-origin
Cross-Origin-Embedder-Policy require-corp
Cross-Origin-Resource-Policy same-origin