Fixed bug in Mutliple Security Header Check.js

Signed-off-by: Simon Bennetts <psiinon@gmail.com>
zaproxy · Aug 6, 2024 · 9fa302c · 9fa302c
1 parent bf5135a
commit 9fa302c
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## [Unreleased]
 ### Changed
 - Add cautionary note to help and readme.
+### Fixed 
+- Bug in 'Mutliple Security Header Check.js'.
 
 ## [19] - 2024-07-01
 ### Added

diff --git a/passive/Mutliple Security Header Check.js b/passive/Mutliple Security Header Check.js
@@ -50,17 +50,21 @@ function scan(helper, msg, src) {
  "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).",
  "",
  ];
+ var responseHeader = msg.getResponseHeader().toString();
 
  // test sts
  if (msg.getRequestHeader().isSecure()) {
- if (msg.getResponseHeader().getHeaders("Strict-Transport-Security") == null)
+ if (
+ msg.getResponseHeader().getHeaders("Strict-Transport-Security") == null
+ ) {
  helper
  .newAlert()
  .setName(alertTitle[0])
  .setDescription(alertDesc[0])
  .setSolution(alertSolution[0])
  .setMessage(msg)
  .raise();
+ }
  }
  // test csp
  if (
@@ -69,14 +73,15 @@ function scan(helper, msg, src) {
  "X-Content-Security-Policy",
  "X-WebKit-CSP",
  ])
- )
+ ) {
  helper
  .newAlert()
  .setName(alertTitle[1])
  .setDescription(alertDesc[1])
  .setSolution(alertSolution[1])
  .setMessage(msg)
  .raise();
+ }
 
  // test xxs protection
  var re_xss = /(X\-XSS\-Protection\:.+1)/g;