@zerothreatai/vulnerability-registry 1.0.0 → 3.0.0

package/dist/categories/configuration.js

@@ -50,6 +50,90 @@ export const CONFIG_VULNERABILITIES = {
         ],
         remediation: 'Add Strict-Transport-Security header with max-age of at least 31536000 (1 year). Include includeSubDomains directive. Consider HSTS preloading for maximum protection.',
     },
+    [VulnerabilityCode.HEADER_HSTS_BAD_MAX_AGE]: {
+        id: 1011,
+        code: VulnerabilityCode.HEADER_HSTS_BAD_MAX_AGE,
+        title: 'HSTS Misconfiguration - Invalid Max-Age',
+        description: 'The Strict-Transport-Security header uses an invalid or malformed max-age value, preventing reliable HTTPS enforcement.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Set a valid numeric max-age on Strict-Transport-Security (at least 31536000).',
+    },
+    [VulnerabilityCode.HEADER_HSTS_SHORT_MAX_AGE]: {
+        id: 1012,
+        code: VulnerabilityCode.HEADER_HSTS_SHORT_MAX_AGE,
+        title: 'HSTS Misconfiguration - Max-Age Too Short',
+        description: 'The Strict-Transport-Security header uses a short max-age value that weakens HTTPS enforcement and allows downgrade risk to return quickly.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Increase max-age to at least 31536000 (1 year) to provide durable HTTPS enforcement.',
+    },
+    [VulnerabilityCode.HEADER_HSTS_NO_INCLUDESUBDOMAINS]: {
+        id: 1013,
+        code: VulnerabilityCode.HEADER_HSTS_NO_INCLUDESUBDOMAINS,
+        title: 'HSTS Misconfiguration - Missing includeSubDomains',
+        description: 'The Strict-Transport-Security header is missing includeSubDomains, leaving subdomains unprotected from downgrade and stripping attacks.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Add includeSubDomains to the HSTS header to protect all subdomains.',
+    },
+    [VulnerabilityCode.HEADER_HSTS_PRELOAD_LOW_MAX_AGE]: {
+        id: 1018,
+        code: VulnerabilityCode.HEADER_HSTS_PRELOAD_LOW_MAX_AGE,
+        title: 'HSTS Preload Requirements Not Met',
+        description: 'The HSTS header indicates preload intent but does not meet preload requirements, such as a sufficiently long max-age or includeSubDomains, reducing preload effectiveness.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Ensure HSTS max-age is at least 31536000, include includeSubDomains, and add preload before submitting to the preload list.',
+    },
     [VulnerabilityCode.HEADER_MISSING_XFRAME]: {
         id: 71,
         code: VulnerabilityCode.HEADER_MISSING_XFRAME,
@@ -92,6 +176,174 @@ export const CONFIG_VULNERABILITIES = {
         ],
         remediation: 'Remove unsafe-inline and unsafe-eval directives. Use nonce-based or hash-based CSP for inline scripts. Restrict source allowlists to specific trusted domains rather than wildcards.',
     },
+    [VulnerabilityCode.HEADER_CSP_REPORT_ONLY]: {
+        id: 1001,
+        code: VulnerabilityCode.HEADER_CSP_REPORT_ONLY,
+        title: 'Content-Security-Policy Report-Only Enabled',
+        description: 'The Content-Security-Policy header is deployed in report-only mode, which does not enforce protections and allows unsafe content to execute while only logging violations.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Switch to enforcing Content-Security-Policy once violations are reviewed. Use report-only during rollout, then enforce with strict directives.',
+    },
+    [VulnerabilityCode.HEADER_CSP_WEAK_DIRECTIVES]: {
+        id: 1002,
+        code: VulnerabilityCode.HEADER_CSP_WEAK_DIRECTIVES,
+        title: 'Content-Security-Policy Contains Unsafe Directives',
+        description: 'The Content-Security-Policy header includes unsafe directives such as unsafe-inline or unsafe-eval that reduce XSS protection and allow risky script execution paths.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Remove unsafe-inline and unsafe-eval directives. Replace inline scripts with nonces or hashes and restrict sources to trusted domains.',
+    },
+    [VulnerabilityCode.HEADER_CSP_DATA_URI_SCRIPT]: {
+        id: 1003,
+        code: VulnerabilityCode.HEADER_CSP_DATA_URI_SCRIPT,
+        title: 'Content-Security-Policy Allows data: in script-src',
+        description: 'The CSP allows data: URIs for script execution, which can enable script injection through crafted data URLs and weaken XSS protections.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Remove data: from script-src. Use nonce or hash-based CSP for any required inline scripts.',
+    },
+    [VulnerabilityCode.HEADER_CSP_BLOB_URI_SCRIPT]: {
+        id: 1004,
+        code: VulnerabilityCode.HEADER_CSP_BLOB_URI_SCRIPT,
+        title: 'Content-Security-Policy Allows blob: in script-src',
+        description: 'The CSP allows blob: URIs for script execution, which can be abused to load attacker-controlled scripts in some contexts and weaken XSS mitigations.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Remove blob: from script-src unless strictly required. Use a narrower allowlist or nonces for trusted scripts.',
+    },
+    [VulnerabilityCode.HEADER_CSP_WILDCARD_DEFAULT]: {
+        id: 1005,
+        code: VulnerabilityCode.HEADER_CSP_WILDCARD_DEFAULT,
+        title: 'Content-Security-Policy default-src Uses Wildcard',
+        description: 'The CSP default-src directive allows all origins, which effectively disables the protection and allows untrusted content to load.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Replace wildcard default-src with explicit trusted origins and tighten resource-specific directives.',
+    },
+    [VulnerabilityCode.HEADER_CSP_NO_BASE_URI]: {
+        id: 1006,
+        code: VulnerabilityCode.HEADER_CSP_NO_BASE_URI,
+        title: 'Content-Security-Policy Missing base-uri Directive',
+        description: 'The CSP does not include a base-uri directive, allowing the base URL to be set by injected markup and enabling abuse of relative URL resolution.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Add base-uri \'self\' (or a strict allowlist) to CSP to prevent base tag abuse.',
+    },
+    [VulnerabilityCode.HEADER_CSP_NO_OBJECT_SRC]: {
+        id: 1007,
+        code: VulnerabilityCode.HEADER_CSP_NO_OBJECT_SRC,
+        title: 'Content-Security-Policy Missing object-src Directive',
+        description: 'The CSP does not include an object-src directive, allowing embedded objects to load from arbitrary origins and weakening defense-in-depth against plugin-based risks.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Add object-src \'none\' (or a strict allowlist) to CSP to prevent plugin content loading.',
+    },
+    [VulnerabilityCode.HEADER_CSP_NO_FRAME_ANCESTORS]: {
+        id: 1008,
+        code: VulnerabilityCode.HEADER_CSP_NO_FRAME_ANCESTORS,
+        title: 'Content-Security-Policy Missing frame-ancestors Directive',
+        description: 'The CSP does not include a frame-ancestors directive, leaving pages potentially frameable and vulnerable to clickjacking attacks.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 4.7,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-1021', name: 'Improper Restriction of Rendered UI Layers', url: 'https://cwe.mitre.org/data/definitions/1021.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Add frame-ancestors \'none\' or a strict allowlist to CSP to prevent clickjacking.',
+    },
     [VulnerabilityCode.HEADER_CORS_MISCONFIGURED]: {
         id: 73,
         code: VulnerabilityCode.HEADER_CORS_MISCONFIGURED,
@@ -113,6 +365,90 @@ export const CONFIG_VULNERABILITIES = {
         ],
         remediation: 'Implement strict Origin validation with allowlist of trusted domains. Never reflect Origin header without validation. Do not use wildcard with Access-Control-Allow-Credentials.',
     },
+    [VulnerabilityCode.HEADER_CORS_STAR_WITH_CREDENTIALS]: {
+        id: 1014,
+        code: VulnerabilityCode.HEADER_CORS_STAR_WITH_CREDENTIALS,
+        title: 'CORS Wildcard With Credentials',
+        description: 'Access-Control-Allow-Origin is set to * while Access-Control-Allow-Credentials is enabled, which browsers block but signals a dangerous CORS policy that can be misapplied in some environments.',
+        severity: 'high',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 7.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Never use wildcard origins with credentials. Replace * with an explicit allowlist and set Vary: Origin.',
+    },
+    [VulnerabilityCode.HEADER_CORS_ORIGIN_REFLECT_NO_VARY]: {
+        id: 1015,
+        code: VulnerabilityCode.HEADER_CORS_ORIGIN_REFLECT_NO_VARY,
+        title: 'CORS Origin Reflection Without Vary',
+        description: 'The Origin header is reflected in Access-Control-Allow-Origin without Vary: Origin, which can lead to cache poisoning and unintended cross-origin access.',
+        severity: 'high',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 7.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Validate origins against an allowlist and always include Vary: Origin when dynamically setting Access-Control-Allow-Origin.',
+    },
+    [VulnerabilityCode.HEADER_CORS_NULL_ORIGIN]: {
+        id: 1016,
+        code: VulnerabilityCode.HEADER_CORS_NULL_ORIGIN,
+        title: 'CORS Allows Null Origin',
+        description: 'Access-Control-Allow-Origin allows the null origin, enabling requests from opaque origins such as sandboxed iframes and file URLs that can be abused to access sensitive data.',
+        severity: 'high',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 7.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Remove null from allowed origins. Restrict CORS to explicit trusted domains only.',
+    },
+    [VulnerabilityCode.HEADER_CORS_WILDCARD_SUBDOMAIN]: {
+        id: 1017,
+        code: VulnerabilityCode.HEADER_CORS_WILDCARD_SUBDOMAIN,
+        title: 'CORS Allows Wildcard Subdomains',
+        description: 'CORS policies allow wildcard subdomains that can be abused if any subdomain is compromised or can be controlled by untrusted parties.',
+        severity: 'high',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 7.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Replace wildcard subdomains with a strict allowlist of trusted origins.',
+    },
     // ========================================
     // DIRECTORY BROWSING
     // ========================================
@@ -353,6 +689,27 @@ export const CONFIG_VULNERABILITIES = {
         ],
         remediation: 'Add X-Content-Type-Options: nosniff header to all responses. Ensure correct Content-Type headers are set for all resources. Validate file types before serving user uploads.',
     },
+    [VulnerabilityCode.HEADER_XCONTENT_TYPE_INVALID]: {
+        id: 1009,
+        code: VulnerabilityCode.HEADER_XCONTENT_TYPE_INVALID,
+        title: 'Invalid Security Header - X-Content-Type-Options',
+        description: 'The X-Content-Type-Options header is present but misconfigured (not set to nosniff), which can allow MIME sniffing and reduce protection against content-type confusion.',
+        severity: 'low',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 3.7,
+            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N',
+            severity: 'LOW',
+        },
+        cwe: [
+            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Set X-Content-Type-Options to nosniff on all responses to prevent MIME sniffing.',
+    },
     [VulnerabilityCode.HEADER_MISSING_REFERRER_POLICY]: {
         id: 85,
         code: VulnerabilityCode.HEADER_MISSING_REFERRER_POLICY,
@@ -374,6 +731,27 @@ export const CONFIG_VULNERABILITIES = {
         ],
         remediation: 'Implement Referrer-Policy header with strict-origin-when-cross-origin or no-referrer policy. Avoid passing sensitive data in URLs. Use POST requests for sensitive operations.',
     },
+    [VulnerabilityCode.HEADER_REFERRER_POLICY_UNSAFE]: {
+        id: 1010,
+        code: VulnerabilityCode.HEADER_REFERRER_POLICY_UNSAFE,
+        title: 'Unsafe Referrer-Policy Configuration',
+        description: 'The Referrer-Policy header is set to a permissive value that can leak full URLs and sensitive query parameters to external origins.',
+        severity: 'low',
+        category: 'configuration',
+        scanner: 'security-headers',
+        cvss: {
+            score: 3.1,
+            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N',
+            severity: 'LOW',
+        },
+        cwe: [
+            { id: 'CWE-200', name: 'Information Exposure', url: 'https://cwe.mitre.org/data/definitions/200.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Use strict-origin-when-cross-origin or no-referrer to minimize leakage of sensitive URL data.',
+    },
     [VulnerabilityCode.HEADER_MISSING_PERMISSIONS_POLICY]: {
         id: 86,
         code: VulnerabilityCode.HEADER_MISSING_PERMISSIONS_POLICY,

package/dist/error-codes.d.ts

@@ -84,13 +84,31 @@ export declare enum VulnerabilityCode {
     HEADER_MISSING_REFERRER_POLICY = "HEADER_MISSING_REFERRER_POLICY",
     HEADER_MISSING_PERMISSIONS_POLICY = "HEADER_MISSING_PERMISSIONS_POLICY",
     HEADER_WEAK_CSP = "HEADER_WEAK_CSP",
+    HEADER_CSP_REPORT_ONLY = "HEADER_CSP_REPORT_ONLY",
+    HEADER_CSP_WEAK_DIRECTIVES = "HEADER_CSP_WEAK_DIRECTIVES",
+    HEADER_CSP_DATA_URI_SCRIPT = "HEADER_CSP_DATA_URI_SCRIPT",
+    HEADER_CSP_BLOB_URI_SCRIPT = "HEADER_CSP_BLOB_URI_SCRIPT",
+    HEADER_CSP_WILDCARD_DEFAULT = "HEADER_CSP_WILDCARD_DEFAULT",
+    HEADER_CSP_NO_BASE_URI = "HEADER_CSP_NO_BASE_URI",
+    HEADER_CSP_NO_OBJECT_SRC = "HEADER_CSP_NO_OBJECT_SRC",
+    HEADER_CSP_NO_FRAME_ANCESTORS = "HEADER_CSP_NO_FRAME_ANCESTORS",
     HEADER_CORS_MISCONFIGURED = "HEADER_CORS_MISCONFIGURED",
+    HEADER_CORS_STAR_WITH_CREDENTIALS = "HEADER_CORS_STAR_WITH_CREDENTIALS",
+    HEADER_CORS_ORIGIN_REFLECT_NO_VARY = "HEADER_CORS_ORIGIN_REFLECT_NO_VARY",
+    HEADER_CORS_NULL_ORIGIN = "HEADER_CORS_NULL_ORIGIN",
+    HEADER_CORS_WILDCARD_SUBDOMAIN = "HEADER_CORS_WILDCARD_SUBDOMAIN",
     HEADER_COEP_WITHOUT_COOP = "HEADER_COEP_WITHOUT_COOP",
     HEADER_CORP_UNUSUAL = "HEADER_CORP_UNUSUAL",
     HEADER_EXPECT_CT_PRESENT = "HEADER_EXPECT_CT_PRESENT",
     HEADER_SERVER_HEADER_PRESENT = "HEADER_SERVER_HEADER_PRESENT",
     HEADER_X_POWERED_BY_PRESENT = "HEADER_X_POWERED_BY_PRESENT",
     HEADER_X_XSS_PROTECTION_ENABLED = "HEADER_X_XSS_PROTECTION_ENABLED",
+    HEADER_XCONTENT_TYPE_INVALID = "HEADER_XCONTENT_TYPE_INVALID",
+    HEADER_REFERRER_POLICY_UNSAFE = "HEADER_REFERRER_POLICY_UNSAFE",
+    HEADER_HSTS_BAD_MAX_AGE = "HEADER_HSTS_BAD_MAX_AGE",
+    HEADER_HSTS_SHORT_MAX_AGE = "HEADER_HSTS_SHORT_MAX_AGE",
+    HEADER_HSTS_NO_INCLUDESUBDOMAINS = "HEADER_HSTS_NO_INCLUDESUBDOMAINS",
+    HEADER_HSTS_PRELOAD_LOW_MAX_AGE = "HEADER_HSTS_PRELOAD_LOW_MAX_AGE",
     COOKIE_SAMESITE_NONE_WITHOUT_SECURE = "COOKIE_SAMESITE_NONE_WITHOUT_SECURE",
     COOKIE_SESSION_MISSING_SECURE = "COOKIE_SESSION_MISSING_SECURE",
     COOKIE_MISSING_SECURE = "COOKIE_MISSING_SECURE",

package/dist/error-codes.js

@@ -121,13 +121,31 @@ export var VulnerabilityCode;
     VulnerabilityCode["HEADER_MISSING_REFERRER_POLICY"] = "HEADER_MISSING_REFERRER_POLICY";
     VulnerabilityCode["HEADER_MISSING_PERMISSIONS_POLICY"] = "HEADER_MISSING_PERMISSIONS_POLICY";
     VulnerabilityCode["HEADER_WEAK_CSP"] = "HEADER_WEAK_CSP";
+    VulnerabilityCode["HEADER_CSP_REPORT_ONLY"] = "HEADER_CSP_REPORT_ONLY";
+    VulnerabilityCode["HEADER_CSP_WEAK_DIRECTIVES"] = "HEADER_CSP_WEAK_DIRECTIVES";
+    VulnerabilityCode["HEADER_CSP_DATA_URI_SCRIPT"] = "HEADER_CSP_DATA_URI_SCRIPT";
+    VulnerabilityCode["HEADER_CSP_BLOB_URI_SCRIPT"] = "HEADER_CSP_BLOB_URI_SCRIPT";
+    VulnerabilityCode["HEADER_CSP_WILDCARD_DEFAULT"] = "HEADER_CSP_WILDCARD_DEFAULT";
+    VulnerabilityCode["HEADER_CSP_NO_BASE_URI"] = "HEADER_CSP_NO_BASE_URI";
+    VulnerabilityCode["HEADER_CSP_NO_OBJECT_SRC"] = "HEADER_CSP_NO_OBJECT_SRC";
+    VulnerabilityCode["HEADER_CSP_NO_FRAME_ANCESTORS"] = "HEADER_CSP_NO_FRAME_ANCESTORS";
     VulnerabilityCode["HEADER_CORS_MISCONFIGURED"] = "HEADER_CORS_MISCONFIGURED";
+    VulnerabilityCode["HEADER_CORS_STAR_WITH_CREDENTIALS"] = "HEADER_CORS_STAR_WITH_CREDENTIALS";
+    VulnerabilityCode["HEADER_CORS_ORIGIN_REFLECT_NO_VARY"] = "HEADER_CORS_ORIGIN_REFLECT_NO_VARY";
+    VulnerabilityCode["HEADER_CORS_NULL_ORIGIN"] = "HEADER_CORS_NULL_ORIGIN";
+    VulnerabilityCode["HEADER_CORS_WILDCARD_SUBDOMAIN"] = "HEADER_CORS_WILDCARD_SUBDOMAIN";
     VulnerabilityCode["HEADER_COEP_WITHOUT_COOP"] = "HEADER_COEP_WITHOUT_COOP";
     VulnerabilityCode["HEADER_CORP_UNUSUAL"] = "HEADER_CORP_UNUSUAL";
     VulnerabilityCode["HEADER_EXPECT_CT_PRESENT"] = "HEADER_EXPECT_CT_PRESENT";
     VulnerabilityCode["HEADER_SERVER_HEADER_PRESENT"] = "HEADER_SERVER_HEADER_PRESENT";
     VulnerabilityCode["HEADER_X_POWERED_BY_PRESENT"] = "HEADER_X_POWERED_BY_PRESENT";
     VulnerabilityCode["HEADER_X_XSS_PROTECTION_ENABLED"] = "HEADER_X_XSS_PROTECTION_ENABLED";
+    VulnerabilityCode["HEADER_XCONTENT_TYPE_INVALID"] = "HEADER_XCONTENT_TYPE_INVALID";
+    VulnerabilityCode["HEADER_REFERRER_POLICY_UNSAFE"] = "HEADER_REFERRER_POLICY_UNSAFE";
+    VulnerabilityCode["HEADER_HSTS_BAD_MAX_AGE"] = "HEADER_HSTS_BAD_MAX_AGE";
+    VulnerabilityCode["HEADER_HSTS_SHORT_MAX_AGE"] = "HEADER_HSTS_SHORT_MAX_AGE";
+    VulnerabilityCode["HEADER_HSTS_NO_INCLUDESUBDOMAINS"] = "HEADER_HSTS_NO_INCLUDESUBDOMAINS";
+    VulnerabilityCode["HEADER_HSTS_PRELOAD_LOW_MAX_AGE"] = "HEADER_HSTS_PRELOAD_LOW_MAX_AGE";
     VulnerabilityCode["COOKIE_SAMESITE_NONE_WITHOUT_SECURE"] = "COOKIE_SAMESITE_NONE_WITHOUT_SECURE";
     VulnerabilityCode["COOKIE_SESSION_MISSING_SECURE"] = "COOKIE_SESSION_MISSING_SECURE";
     VulnerabilityCode["COOKIE_MISSING_SECURE"] = "COOKIE_MISSING_SECURE";