From 9fa302c88b4a76b8c7f695e0789375cb3f8cf5c7 Mon Sep 17 00:00:00 2001
From: Simon Bennetts <psiinon@gmail.com>
Date: Tue, 6 Aug 2024 11:15:48 +0100
Subject: [PATCH] Fixed bug in Mutliple Security Header Check.js

Signed-off-by: Simon Bennetts <psiinon@gmail.com>
---
 CHANGELOG.md                              | 2 ++
 passive/Mutliple Security Header Check.js | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8b54ddd8..81a45ee8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## [Unreleased]
 ### Changed
 - Add cautionary note to help and readme.
+### Fixed 
+- Bug in 'Mutliple Security Header Check.js'.
 
 ## [19] - 2024-07-01
 ### Added
diff --git a/passive/Mutliple Security Header Check.js b/passive/Mutliple Security Header Check.js
index 4da29dc4..59a6dd35 100644
--- a/passive/Mutliple Security Header Check.js	
+++ b/passive/Mutliple Security Header Check.js	
@@ -50,10 +50,13 @@ function scan(helper, msg, src) {
     "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY.  ALLOW-FROM allows specific websites to frame the web page in supported web browsers).",
     "",
   ];
+  var responseHeader = msg.getResponseHeader().toString();
 
   // test sts
   if (msg.getRequestHeader().isSecure()) {
-    if (msg.getResponseHeader().getHeaders("Strict-Transport-Security") == null)
+    if (
+      msg.getResponseHeader().getHeaders("Strict-Transport-Security") == null
+    ) {
       helper
         .newAlert()
         .setName(alertTitle[0])
@@ -61,6 +64,7 @@ function scan(helper, msg, src) {
         .setSolution(alertSolution[0])
         .setMessage(msg)
         .raise();
+    }
   }
   // test csp
   if (
@@ -69,7 +73,7 @@ function scan(helper, msg, src) {
       "X-Content-Security-Policy",
       "X-WebKit-CSP",
     ])
-  )
+  ) {
     helper
       .newAlert()
       .setName(alertTitle[1])
@@ -77,6 +81,7 @@ function scan(helper, msg, src) {
       .setSolution(alertSolution[1])
       .setMessage(msg)
       .raise();
+  }
 
   // test xxs protection
   var re_xss = /(X\-XSS\-Protection\:.+1)/g;