twa
twa copied to clipboard
trailofbits
A tiny web auditor with strong opinions.
It might be interesting to add some Web Application Firewall detection techniques. I don't know much about WAFs, but it looks like there are some common oracles: * Known cookies...
An idea to have a new flag to display certain audit conditions. Normal example run. ``` $ twa google.com FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure) FAIL(google.com): TWA-0205: Strict-Transport-Security...
`.well-known` ([RFC](https://tools.ietf.org/html/rfc8615)) is becoming an increasingly popular destination for stashing site-wide metadata. Some of that metadata is relevant to site security or may unintentionally leak information, so we should scan...
Per MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy Looks like this got renamed a while back; we should probably flag a `MEH` is a site reports `Feature-Policy`.
This should use GitHub's dedicated workflows, rather than the stuff I've hacked together.
This PR adds a Dependabot configuration file to automatically keep dependencies up to date. ## Changes - Adds `.github/dependabot.yml` with appropriate configuration for this repository's technology stack - Configures weekly...
Fortunately, no one created a 'trailofbis' docker account :-)
