Ejemplo n.º 1
0
    def do_pre_handshake(self, network_timeout):
        """Open a socket to the server; setup HTTP tunneling if a proxy was configured.
        """
        if self._tunnel_host:
            # Proxy configured; setup HTTP tunneling
            try:
                self._sock = socket.create_connection(
                    (self._tunnel_host, self._tunnel_port), network_timeout)
            except socket.timeout as e:
                raise ProxyError(self.ERR_PROXY_OFFLINE.format(e[0]))
            except socket.error as e:
                raise ProxyError(self.ERR_PROXY_OFFLINE.format(e[1]))

            # Send a CONNECT request with the host we want to tunnel to
            if self._tunnel_basic_auth_token is None:
                self._sock.send(
                    self.HTTP_CONNECT_REQ.format(self._host, self._port))
            else:
                self._sock.send(
                    self.HTTP_CONNECT_REQ_PROXY_AUTH_BASIC.format(
                        self._host, self._port, self._tunnel_basic_auth_token))
            http_response = HttpResponseParser.parse(self._sock)

            # Check if the proxy was able to connect to the host
            if http_response.status != 200:
                raise ProxyError(self.ERR_CONNECT_REJECTED)
        else:
            # No proxy; connect directly to the server
            self._sock = socket.create_connection((self._ip, self._port),
                                                  network_timeout)
Ejemplo n.º 2
0
    def _get_security_headers(cls, server_info):
        hpkp_report_only = False

        # Perform the SSL handshake
        ssl_connection = server_info.get_preconfigured_ssl_connection()
        ssl_connection.connect()
        certificate_chain = ssl_connection.get_peer_cert_chain()

        # Send an HTTP GET request to the server
        ssl_connection.write(
            HttpRequestGenerator.get_request(host=server_info.hostname))
        http_resp = HttpResponseParser.parse(ssl_connection)
        ssl_connection.close()

        if http_resp.version == 9:
            # HTTP 0.9 => Probably not an HTTP response
            raise ValueError('Server did not return an HTTP response')
        else:
            hsts_header = http_resp.getheader('strict-transport-security',
                                              None)
            hpkp_header = http_resp.getheader('public-key-pins', None)
            if hpkp_header is None:
                hpkp_report_only = True
                hpkp_header = http_resp.getheader(
                    'public-key-pins-report-only', None)

        # We do not follow redirections because the security headers must be set on the first page according to
        # https://hstspreload.appspot.com/:
        # "If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS
        # header (rather than the page it redirects to)."

        return hsts_header, hpkp_header, hpkp_report_only, certificate_chain
Ejemplo n.º 3
0
    def _get_security_headers(cls, server_info):
        hpkp_report_only = False

        # Perform the SSL handshake
        ssl_connection = server_info.get_preconfigured_ssl_connection()
        ssl_connection.connect()
        certificate_chain = ssl_connection.get_peer_cert_chain()

        # Send an HTTP GET request to the server
        ssl_connection.write(HttpRequestGenerator.get_request(host=server_info.hostname))
        http_resp = HttpResponseParser.parse(ssl_connection)
        ssl_connection.close()

        if http_resp.version == 9:
            # HTTP 0.9 => Probably not an HTTP response
            raise ValueError("Server did not return an HTTP response")
        else:
            hsts_header = http_resp.getheader("strict-transport-security", None)
            hpkp_header = http_resp.getheader("public-key-pins", None)
            if hpkp_header is None:
                hpkp_report_only = True
                hpkp_header = http_resp.getheader("public-key-pins-report-only", None)

        # We do not follow redirections because the security headers must be set on the first page according to
        # https://hstspreload.appspot.com/:
        # "If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS
        # header (rather than the page it redirects to)."

        return hsts_header, hpkp_header, hpkp_report_only, certificate_chain
Ejemplo n.º 4
0
    def create_connection(self, timeout: int) -> socket.SocketType:
        """Setup HTTP tunneling with the configured proxy.
        """
        # Setup HTTP tunneling
        try:
            sock = socket.create_connection((self._tunnel_host, self._tunnel_port), timeout=timeout)
        except socket.timeout as e:
            raise ProxyError(self.ERR_PROXY_OFFLINE.format(str(e)))
        except socket.error as e:
            raise ProxyError(self.ERR_PROXY_OFFLINE.format(str(e)))

        # Send a CONNECT request with the host we want to tunnel to
        if self._tunnel_basic_auth_token is None:
            sock.send(self.HTTP_CONNECT_REQ.format(self._server_host, self._server_port).encode('utf-8'))
        else:
            sock.send(self.HTTP_CONNECT_REQ_PROXY_AUTH_BASIC.format(
                self._server_host, self._server_port, self._tunnel_basic_auth_token
            ).encode('utf-8'))
        http_response = HttpResponseParser.parse_from_socket(sock)

        # Check if the proxy was able to connect to the host
        if http_response.status != 200:
            raise ProxyError(self.ERR_CONNECT_REJECTED)

        return sock
Ejemplo n.º 5
0
    def post_handshake_check(self):

        try:
            # TODO: This is code only used by OpenSSLCipherSuitesPlugin anf should be moved there
            # Send an HTTP GET to the server and store the HTTP Status Code
            self.write(HttpRequestGenerator.get_request(self._host))

            # Parse the response and print the Location header
            http_response = HttpResponseParser.parse(self)
            if http_response.version == 9:
                # HTTP 0.9 => Probably not an HTTP response
                result = self.ERR_NOT_HTTP
            else:
                redirect = ''
                if 300 <= http_response.status < 400:
                    if http_response.getheader('Location', None):
                        # Add redirection URL to the result
                        redirect = ' - ' + http_response.getheader(
                            'Location', None)

                result = self.GET_RESULT_FORMAT.format(http_response.status,
                                                       http_response.reason,
                                                       redirect)
        except socket.timeout:
            result = self.ERR_HTTP_TIMEOUT
        except IOError:
            result = self.ERR_GENERIC

        return result
Ejemplo n.º 6
0
    def create_connection(self, timeout: int) -> socket.SocketType:
        """Setup HTTP tunneling with the configured proxy.
        """
        # Setup HTTP tunneling
        try:
            sock = socket.create_connection(
                (self._tunnel_host, self._tunnel_port), timeout=timeout)
        except socket.timeout as e:
            raise ProxyError(self.ERR_PROXY_OFFLINE.format(str(e)))
        except socket.error as e:
            raise ProxyError(self.ERR_PROXY_OFFLINE.format(str(e)))

        # Send a CONNECT request with the host we want to tunnel to
        if self._tunnel_basic_auth_token is None:
            sock.send(
                self.HTTP_CONNECT_REQ.format(
                    self._server_host, self._server_port).encode("utf-8"))
        else:
            sock.send(
                self.HTTP_CONNECT_REQ_PROXY_AUTH_BASIC.format(
                    self._server_host, self._server_port,
                    self._tunnel_basic_auth_token).encode("utf-8"))
        http_response = HttpResponseParser.parse_from_socket(sock)

        # Check if the proxy was able to connect to the host
        if http_response.status != 200:
            raise ProxyError(self.ERR_CONNECT_REJECTED)

        return sock
    def send_request(self, ssl_client: SslClient) -> str:
        """Send an HTTP GET to the server and return the HTTP status code.
        """
        try:
            ssl_client.write(HttpRequestGenerator.get_request(self._hostname))

            # Parse the response and print the Location header
            http_response = HttpResponseParser.parse_from_ssl_connection(ssl_client)
            if http_response.version == 9:
                # HTTP 0.9 => Probably not an HTTP response
                result = self.ERR_NOT_HTTP
            else:
                redirect = ''
                if 300 <= http_response.status < 400:
                    redirect_location = http_response.getheader('Location')
                    if redirect_location:
                        # Add redirection URL to the result
                        redirect = f' - {redirect_location}'

                result = self.GET_RESULT_FORMAT.format(http_response.status, http_response.reason, redirect)
        except socket.timeout:
            result = self.ERR_HTTP_TIMEOUT
        except IOError:
            result = self.ERR_GENERIC

        return result
Ejemplo n.º 8
0
    def do_pre_handshake(self, network_timeout):
        # type: (int) -> socket
        """Open a socket to the server; setup HTTP tunneling if a proxy was configured.
        """
        if self._tunnel_host:
            # Proxy configured; setup HTTP tunneling
            try:
                sock = socket.create_connection((self._tunnel_host, self._tunnel_port), network_timeout)
            except socket.timeout as e:
                raise ProxyError(self.ERR_PROXY_OFFLINE.format(str(e)))
            except socket.error as e:
                raise ProxyError(self.ERR_PROXY_OFFLINE.format(str(e)))

            # Send a CONNECT request with the host we want to tunnel to
            if self._tunnel_basic_auth_token is None:
                sock.send(self.HTTP_CONNECT_REQ.format(self._hostname, self._port).encode('utf-8'))
            else:
                sock.send(self.HTTP_CONNECT_REQ_PROXY_AUTH_BASIC.format(self._hostname,
                                                                        self._port,
                                                                        self._tunnel_basic_auth_token).encode('utf-8'))
            http_response = HttpResponseParser.parse(sock)

            # Check if the proxy was able to connect to the host
            if http_response.status != 200:
                raise ProxyError(self.ERR_CONNECT_REJECTED)
        else:
            # No proxy; connect directly to the server
            sock = socket.create_connection(address=(self._ip_address, self._port), timeout=network_timeout)

        # Pass the connected socket to the SSL client
        self.ssl_client.set_underlying_socket(sock)
        return sock
Ejemplo n.º 9
0
    def do_pre_handshake(self, network_timeout):
        # type: (int) -> socket
        """Open a socket to the server; setup HTTP tunneling if a proxy was configured.
        """
        if self._tunnel_host:
            # Proxy configured; setup HTTP tunneling
            try:
                sock = socket.create_connection((self._tunnel_host, self._tunnel_port), network_timeout)
            except socket.timeout as e:
                raise ProxyError(self.ERR_PROXY_OFFLINE.format(str(e)))
            except socket.error as e:
                raise ProxyError(self.ERR_PROXY_OFFLINE.format(str(e)))

            # Send a CONNECT request with the host we want to tunnel to
            if self._tunnel_basic_auth_token is None:
                sock.send(self.HTTP_CONNECT_REQ.format(self._hostname, self._port).encode('utf-8'))
            else:
                sock.send(self.HTTP_CONNECT_REQ_PROXY_AUTH_BASIC.format(self._hostname,
                                                                        self._port,
                                                                        self._tunnel_basic_auth_token).encode('utf-8'))
            http_response = HttpResponseParser.parse(sock)

            # Check if the proxy was able to connect to the host
            if http_response.status != 200:
                raise ProxyError(self.ERR_CONNECT_REJECTED)
        else:
            # No proxy; connect directly to the server
            sock = socket.create_connection(address=(self._ip_address, self._port), timeout=network_timeout)

        # Pass the connected socket to the SSL client
        self.ssl_client.set_underlying_socket(sock)
        return sock
Ejemplo n.º 10
0
    def post_handshake_check(self):
        # type: () -> Text
        try:
            # Send an HTTP GET to the server and store the HTTP Status Code
            self.write(HttpRequestGenerator.get_request(self._hostname))

            # Parse the response and print the Location header
            http_response = HttpResponseParser.parse(self)
            if http_response.version == 9:
                # HTTP 0.9 => Probably not an HTTP response
                result = self.ERR_NOT_HTTP
            else:
                redirect = ''
                if 300 <= http_response.status < 400:
                    if http_response.getheader('Location', None):
                        # Add redirection URL to the result
                        redirect = ' - ' + http_response.getheader('Location', None)

                result = self.GET_RESULT_FORMAT.format(http_response.status, http_response.reason, redirect)
        except socket.timeout:
            result = self.ERR_HTTP_TIMEOUT
        except IOError:
            result = self.ERR_GENERIC

        return result
Ejemplo n.º 11
0
    def post_handshake_check(self):

        try:
            # TODO: This is code only used by OpenSSLCipherSuitesPlugin anf should be moved there
            # Send an HTTP GET to the server and store the HTTP Status Code
            self.write(HttpRequestGenerator.get_request(self._host))

            # Parse the response and print the Location header
            http_response = HttpResponseParser.parse(self)
            if http_response.version == 9:
                # HTTP 0.9 => Probably not an HTTP response
                result = self.ERR_NOT_HTTP
            else:
                redirect = ""
                if 300 <= http_response.status < 400:
                    if http_response.getheader("Location", None):
                        # Add redirection URL to the result
                        redirect = " - " + http_response.getheader("Location", None)

                result = self.GET_RESULT_FORMAT.format(http_response.status, http_response.reason, redirect)
        except socket.timeout:
            result = self.ERR_HTTP_TIMEOUT
        except IOError:
            result = self.ERR_GENERIC

        return result
Ejemplo n.º 12
0
    def do_pre_handshake(self, network_timeout):
        """Open a socket to the server; setup HTTP tunneling if a proxy was configured.
        """
        if self._tunnel_host:
            # Proxy configured; setup HTTP tunneling
            try:
                self._sock = socket.create_connection((self._tunnel_host, self._tunnel_port), network_timeout)
            except socket.timeout as e:
                raise ProxyError(self.ERR_PROXY_OFFLINE.format(e[0]))
            except socket.error as e:
                raise ProxyError(self.ERR_PROXY_OFFLINE.format(e[1]))

            # Send a CONNECT request with the host we want to tunnel to
            if self._tunnel_basic_auth_token is None:
                self._sock.send(self.HTTP_CONNECT_REQ.format(self._host, self._port))
            else:
                self._sock.send(
                    self.HTTP_CONNECT_REQ_PROXY_AUTH_BASIC.format(self._host, self._port, self._tunnel_basic_auth_token)
                )
            http_response = HttpResponseParser.parse(self._sock)

            # Check if the proxy was able to connect to the host
            if http_response.status != 200:
                raise ProxyError(self.ERR_CONNECT_REJECTED)
        else:
            # No proxy; connect directly to the server
            self._sock = socket.create_connection((self._ip, self._port), network_timeout)
Ejemplo n.º 13
0
    def process_task(
            self,
            server_info: ServerConnectivityInfo,
            scan_command: PluginScanCommand
    ) -> 'HttpHeadersScanResult':
        if not isinstance(scan_command, HttpHeadersScanCommand):
            raise ValueError('Unexpected scan command')

        if server_info.tls_wrapped_protocol not in [TlsWrappedProtocolEnum.PLAIN_TLS, TlsWrappedProtocolEnum.HTTPS]:
            raise ValueError('Cannot test for HTTP headers on a StartTLS connection.')

        # Perform the SSL handshake
        mozilla_store = TrustStoresRepository.get_default().get_main_store()
        ssl_connection = server_info.get_preconfigured_ssl_connection(ssl_verify_locations=mozilla_store.path)
        try:
            ssl_connection.connect()
            try:
                verified_chain_as_pem = ssl_connection.ssl_client.get_verified_chain()
            except CouldNotBuildVerifiedChain:
                verified_chain_as_pem = None

            # Send an HTTP GET request to the server
            ssl_connection.ssl_client.write(HttpRequestGenerator.get_request(host=server_info.hostname))

            # We do not follow redirections because the security headers must be set on the first page according to
            # https://hstspreload.appspot.com/:
            # "If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS
            # header (rather than the page it redirects to)."
            http_response = HttpResponseParser.parse_from_ssl_connection(ssl_connection.ssl_client)
        finally:
            ssl_connection.close()

        if http_response.version == 9:
            # HTTP 0.9 => Probably not an HTTP response
            raise ValueError('Server did not return an HTTP response')

        # Parse the certificate chain
        verified_chain = [
            load_pem_x509_certificate(cert_as_pem.encode('ascii'), backend=default_backend())
            for cert_as_pem in verified_chain_as_pem
        ] if verified_chain_as_pem else None

        # Parse each header
        hsts_header = StrictTransportSecurityHeader.from_http_response(http_response)
        expect_ct_header = ExpectCtHeader.from_http_response(http_response)
        hpkp_header = PublicKeyPinsHeader.from_http_response(http_response)
        hpkp_report_only_header = PublicKeyPinsReportOnlyHeader.from_http_response(http_response)

        return HttpHeadersScanResult(
            server_info,
            scan_command,
            hsts_header,
            hpkp_header,
            hpkp_report_only_header,
            expect_ct_header,
            verified_chain
        )
Ejemplo n.º 14
0
    def _get_security_headers(
            cls,
            server_info  # type: ServerConnectivityInfo
    ):
        # type: (...) -> Tuple[Optional[Text], Optional[Text], Optional[Text], bool, List[Certificate]]
        hpkp_report_only = False

        # Perform the SSL handshake
        ssl_connection = server_info.get_preconfigured_ssl_connection()
        try:
            ssl_connection.connect()
            certificate_chain = [
                load_pem_x509_certificate(x509_cert.as_pem().encode('ascii'),
                                          backend=default_backend()) for
                x509_cert in ssl_connection.ssl_client.get_peer_cert_chain()
            ]
            # Send an HTTP GET request to the server
            ssl_connection.write(
                HttpRequestGenerator.get_request(host=server_info.hostname))
            http_resp = HttpResponseParser.parse_from_ssl_connection(
                ssl_connection)
        finally:
            ssl_connection.close()

        if http_resp.version == 9:
            # HTTP 0.9 => Probably not an HTTP response
            raise ValueError('Server did not return an HTTP response')
        else:
            hsts_header = http_resp.getheader('strict-transport-security',
                                              None)
            hpkp_header = http_resp.getheader('public-key-pins', None)
            expect_ct_header = http_resp.getheader('expect-ct', None)
            if hpkp_header is None:
                hpkp_report_only = True
                hpkp_header = http_resp.getheader(
                    'public-key-pins-report-only', None)

        # We do not follow redirections because the security headers must be set on the first page according to
        # https://hstspreload.appspot.com/:
        # "If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS
        # header (rather than the page it redirects to)."
        return hsts_header, hpkp_header, expect_ct_header, hpkp_report_only, certificate_chain
Ejemplo n.º 15
0
    def _get_security_headers(
            cls,
            server_info: ServerConnectivityInfo
    ) -> Tuple[Optional[str], Optional[str], Optional[str], bool, List[Certificate]]:
        hpkp_report_only = False

        # Perform the SSL handshake
        ssl_connection = server_info.get_preconfigured_ssl_connection()
        try:
            ssl_connection.connect()
            certificate_chain = [
                load_pem_x509_certificate(x509_cert.as_pem().encode('ascii'), backend=default_backend())
                for x509_cert in ssl_connection.ssl_client.get_peer_cert_chain()
            ]
            # Send an HTTP GET request to the server
            ssl_connection.ssl_client.write(HttpRequestGenerator.get_request(host=server_info.hostname))
            http_resp = HttpResponseParser.parse_from_ssl_connection(ssl_connection.ssl_client)
        finally:
            ssl_connection.close()

        if http_resp.version == 9:
            # HTTP 0.9 => Probably not an HTTP response
            raise ValueError('Server did not return an HTTP response')
        else:
            hsts_header = http_resp.getheader('strict-transport-security', None)
            hpkp_header = http_resp.getheader('public-key-pins', None)
            expect_ct_header = http_resp.getheader('expect-ct', None)
            if hpkp_header is None:
                hpkp_report_only = True
                hpkp_header = http_resp.getheader('public-key-pins-report-only', None)

        # We do not follow redirections because the security headers must be set on the first page according to
        # https://hstspreload.appspot.com/:
        # "If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS
        # header (rather than the page it redirects to)."
        return hsts_header, hpkp_header, expect_ct_header, hpkp_report_only, certificate_chain
Ejemplo n.º 16
0
    def process_task(
            self, server_info: ServerConnectivityInfo,
            scan_command: PluginScanCommand) -> "HttpHeadersScanResult":
        if not isinstance(scan_command, HttpHeadersScanCommand):
            raise ValueError("Unexpected scan command")

        if server_info.tls_wrapped_protocol not in [
                TlsWrappedProtocolEnum.PLAIN_TLS, TlsWrappedProtocolEnum.HTTPS
        ]:
            raise ValueError(
                "Cannot test for HTTP headers on a StartTLS connection.")

        # Perform the SSL handshake
        mozilla_store = TrustStoresRepository.get_default().get_main_store()
        ssl_connection = server_info.get_preconfigured_ssl_connection(
            ssl_verify_locations=mozilla_store.path)
        try:
            ssl_connection.connect()
            try:
                verified_chain_as_pem = ssl_connection.ssl_client.get_verified_chain(
                )
            except CouldNotBuildVerifiedChain:
                verified_chain_as_pem = None

            # Send an HTTP GET request to the server
            ssl_connection.ssl_client.write(
                HttpRequestGenerator.get_request(host=server_info.hostname))

            # We do not follow redirections because the security headers must be set on the first page according to
            # https://hstspreload.appspot.com/:
            # "If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS
            # header (rather than the page it redirects to)."
            http_response = HttpResponseParser.parse_from_ssl_connection(
                ssl_connection.ssl_client)
        finally:
            ssl_connection.close()

        if http_response.version == 9:
            # HTTP 0.9 => Probably not an HTTP response
            raise ValueError("Server did not return an HTTP response")

        # Parse the certificate chain
        verified_chain = ([
            load_pem_x509_certificate(cert_as_pem.encode("ascii"),
                                      backend=default_backend())
            for cert_as_pem in verified_chain_as_pem
        ] if verified_chain_as_pem else None)

        # Parse each header
        hsts_header = StrictTransportSecurityHeader.from_http_response(
            http_response)
        expect_ct_header = ExpectCtHeader.from_http_response(http_response)
        hpkp_header = PublicKeyPinsHeader.from_http_response(http_response)
        hpkp_report_only_header = PublicKeyPinsReportOnlyHeader.from_http_response(
            http_response)

        return HttpHeadersScanResult(
            server_info,
            scan_command,
            hsts_header,
            hpkp_header,
            hpkp_report_only_header,
            expect_ct_header,
            verified_chain,
        )
Ejemplo n.º 17
0
def test_endpoint_for_secure_headers(httpEndpoint):

    # Setup the server to scan and ensure it is online/reachable
    hostname = httpEndpoint.get_endpoint_url()
    try:
        server_info = ServerConnectivityInfo(hostname=hostname)
        server_info.test_connectivity_to_server()
    except ServerConnectivityError as e:
        # Could not establish an SSL connection to the server
        raise RuntimeError('Error when connecting to {}: {}'.format(
            hostname, e.error_msg))

    hpkp_report_only = False

    # Perform the SSL handshake
    ssl_connection = server_info.get_preconfigured_ssl_connection()
    ssl_connection.connect()
    certificate_chain = [
        cryptography.x509.load_pem_x509_certificate(
            x509_cert.as_pem().encode('ascii'), backend=default_backend())
        for x509_cert in ssl_connection.ssl_client.get_peer_cert_chain()
    ]
    # Send an HTTP GET request to the server
    ssl_connection.write(
        HttpRequestGenerator.get_request(host=server_info.hostname))
    http_resp = HttpResponseParser.parse(ssl_connection)
    ssl_connection.close()

    if http_resp.version == 9:
        # HTTP 0.9 => Probably not an HTTP response
        raise ValueError('Server did not return an HTTP response')
    else:
        hsts_header = http_resp.getheader('strict-transport-security', None)
        x_frame_options_header = http_resp.getheader('x-frame-options', None)
        x_xss_protection_header = http_resp.getheader('x-xss-protection', None)
        content_security_policy_header = http_resp.getheader(
            'Content-Security-Policy', None)
        content_security_policy_report_only_header = http_resp.getheader(
            'content-security-policy-report-only', None)
        hpkp_header = http_resp.getheader('public-key-pins', None)
        expect_ct_header = http_resp.getheader('expect-ct', None)
        if hpkp_header is None:
            hpkp_report_only = True
            hpkp_header = http_resp.getheader('public-key-pins-report-only',
                                              None)

    # We do not follow redirections because the security headers must be set on the first page according to
    # https://hstspreload.appspot.com/:
    # "If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS
    # header (rather than the page it redirects to)."

    if hsts_header is not None:
        httpEndpoint.set_hsts_enabled(True)
        if "includeSubDomains".lower() not in hsts_header.lower():
            httpEndpoint.set_hsts_issues("includeSubDomains is not set.")
        if "max-age".lower() not in hsts_header.lower():
            issueValue = httpEndpoint.get_hsts_issues()
            issueValue += "max-age is not set."
            httpEndpoint.set_hsts_issues(issueValue)
    if x_xss_protection_header is not None:
        httpEndpoint.set_x_xss_protection_enabled(True)
        if "mode=block".lower() not in x_xss_protection_header.lower():
            httpEndpoint.set_x_xss_protection_issues("mode=block is not set.")
    if x_frame_options_header is not None:
        httpEndpoint.set_x_frame_options_enabled(True)
        if "SAMEORIGIN".lower() not in x_frame_options_header.lower():
            httpEndpoint.set_x_frame_options_issues(
                "SAMEORIGIN value is not set")
    if content_security_policy_header is not None:
        httpEndpoint.set_csp_enabled(True)

    #print(hsts_header)
    #print(x_frame_options_header)
    #print(x_xss_protection_header)
    print(content_security_policy_header)
    #print(content_security_policy_report_only_header)
    #print(http_resp.getheaders())

    return httpEndpoint