Add suppression list

Question

Add suppression list

Closed this issue 4 years ago · 4 comments

It would be nice to have DrHeader able to support some sort of suppression mechanism, to avoid flagging known/accepted issues.
For instance, if I'm happy with unsafe-inline for style (e.g. I'm using angular), I can pass some suppression.yaml file with something like:

rule: Content-Security-Policy
 - location: style-src

Answer 1 · 2020-03-06T09:56:37.000Z

Thanks @dave-89
Could this be dealt with modifying the rules.yaml file to adapt it to your particular needs? Or even extending the granularity of the config for CSP header?
I am also thinking about the option of adding a new parameter to specify the path to a custom rules.yaml file, where you can relax the default policy and use it for some of the scans.
Thoughts?

Answer 2 · 2020-03-23T12:04:40.000Z

I will be working in this new feature. The implementation will address this problem by using the existing rules.xml as base file with Santander proposed headers. On top of that, we will provide an custom headers file, using the option --rules, already implemented, plus a new flag --merge, to indicate that we would like to merge original file with the file provided.
The merge strategy will be by header kind, to keep it simple.

Answer 3 · 2020-03-31T10:40:49.000Z

Change merged in master branch. @dave-89 are you happy to close this issue?

Answer 4 · 2020-04-01T16:42:40.000Z

Thanks @dave-89 @jhbarrantes
Closing issue.