mpx-scan 1.1.0 → 1.2.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mpx-scan",
-  "version": "1.1.0",
+  "version": "1.2.1",
   "description": "Professional website security scanner CLI. Check headers, SSL, cookies, DNS, and get actionable fix suggestions. Part of the Mesaplex developer toolchain.",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -58,7 +58,7 @@ async function scan(url, options = {}) {
   };
 
   const allScanners = [
-    { name: 'headers', fn: scanHeaders, weight: 25 },
+    { name: 'headers', fn: scanHeaders, weight: 15 },
     { name: 'ssl', fn: scanSSL, weight: 20 },
     { name: 'cookies', fn: scanCookies, weight: 10 },
     { name: 'server', fn: scanServer, weight: 8 },

package/src/scanners/cookies.js

@@ -78,13 +78,25 @@ function fetchCookies(parsedUrl, options = {}) {
     const req = protocol.request(parsedUrl.href, {
       method: 'GET',
       timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
       rejectUnauthorized: false,
     }, (res) => {
       // Consume body
       res.on('data', () => {});
       res.on('end', () => {});
 
+      // Follow redirects to get cookies from final destination
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        if ((options._redirectCount || 0) >= 5) {
+          resolve([]);
+          return;
+        }
+        const redirectUrl = new URL(res.headers.location, parsedUrl.href);
+        fetchCookies(redirectUrl, { ...options, _redirectCount: (options._redirectCount || 0) + 1 })
+          .then(resolve).catch(() => resolve([]));
+        return;
+      }
+
       const setCookies = res.headers['set-cookie'] || [];
       const parsed = setCookies.map(parseCookie);
       resolve(parsed);

package/src/scanners/exposed-files.js

@@ -151,7 +151,7 @@ function checkPath(parsedUrl, pathStr, options = {}) {
     const req = protocol.request(url.href, {
       method: 'GET',
       timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
       rejectUnauthorized: false,
     }, (res) => {
       let body = '';

package/src/scanners/fingerprint.js

@@ -297,16 +297,18 @@ async function scanFingerprint(parsedUrl, options = {}) {
 function fetchHeaders(parsedUrl, options = {}) {
   return new Promise((resolve) => {
     const timeout = options.timeout || 10000;
+    const method = options._useGet ? 'GET' : 'HEAD';
     const protocol = parsedUrl.protocol === 'https:' ? https : http;
     let resolved = false;
     const done = (val) => { if (!resolved) { resolved = true; resolve(val); } };
     const timer = setTimeout(() => done(null), timeout + 2000);
 
     const req = protocol.request(parsedUrl.href, {
-      method: 'HEAD', timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      method, timeout,
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
       rejectUnauthorized: false,
     }, (res) => {
+      if (method === 'GET') { res.resume(); }
       clearTimeout(timer);
       // Follow redirects
       if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
@@ -314,6 +316,11 @@ function fetchHeaders(parsedUrl, options = {}) {
         fetchHeaders(redirectUrl, options).then(done);
         return;
       }
+      // HEAD returned error — retry with GET
+      if (!options._useGet && res.statusCode >= 400) {
+        fetchHeaders(parsedUrl, { ...options, _useGet: true }).then(done);
+        return;
+      }
       done(res.headers);
     });
     req.on('error', () => { clearTimeout(timer); done(null); });

package/src/scanners/headers.js

@@ -23,8 +23,12 @@ async function scanHeaders(parsedUrl, options = {}) {
   let score = 0;
   let maxScore = 0;
 
-  // --- Strict-Transport-Security ---
-  maxScore += 3;
+  // ==============================================
+  // CRITICAL HEADERS (fail if missing, full points)
+  // ==============================================
+
+  // --- Strict-Transport-Security (4 pts) ---
+  maxScore += 4;
   const hsts = headers['strict-transport-security'];
   if (hsts) {
     const maxAge = parseInt((hsts.match(/max-age=(\d+)/) || [])[1] || '0');
@@ -33,10 +37,10 @@ async function scanHeaders(parsedUrl, options = {}) {
     
     if (maxAge >= 31536000 && includesSubs && preload) {
       checks.push({ name: 'Strict-Transport-Security', status: 'pass', message: `Excellent. max-age=${maxAge}, includeSubDomains, preload`, value: hsts });
-      score += 3;
+      score += 4;
     } else if (maxAge >= 31536000) {
       checks.push({ name: 'Strict-Transport-Security', status: 'pass', message: `Good. max-age=${maxAge}${includesSubs ? ', includeSubDomains' : ''}${preload ? ', preload' : ''}`, value: hsts });
-      score += 2;
+      score += 3;
     } else if (maxAge > 0) {
       checks.push({ name: 'Strict-Transport-Security', status: 'warn', message: `max-age=${maxAge} is low. Recommend >= 31536000 (1 year)`, value: hsts });
       score += 1;
@@ -45,78 +49,88 @@ async function scanHeaders(parsedUrl, options = {}) {
     checks.push({ name: 'Strict-Transport-Security', status: 'fail', message: 'Missing. Allows downgrade attacks to HTTP.', recommendation: 'Add: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' });
   }
 
-  // --- Content-Security-Policy ---
+  // --- X-Content-Type-Options (3 pts) ---
   maxScore += 3;
-  const csp = headers['content-security-policy'];
-  if (csp) {
-    const hasDefaultSrc = /default-src/i.test(csp);
-    const hasUnsafeInline = /unsafe-inline/i.test(csp);
-    const hasUnsafeEval = /unsafe-eval/i.test(csp);
-    
-    if (hasDefaultSrc && !hasUnsafeInline && !hasUnsafeEval) {
-      checks.push({ name: 'Content-Security-Policy', status: 'pass', message: 'Strong policy without unsafe directives', value: csp.substring(0, 200) + (csp.length > 200 ? '...' : '') });
-      score += 3;
-    } else if (hasDefaultSrc) {
-      const issues = [];
-      if (hasUnsafeInline) issues.push('unsafe-inline');
-      if (hasUnsafeEval) issues.push('unsafe-eval');
-      checks.push({ name: 'Content-Security-Policy', status: 'warn', message: `Present but uses ${issues.join(', ')}`, value: csp.substring(0, 200) });
-      score += 1.5;
-    } else {
-      checks.push({ name: 'Content-Security-Policy', status: 'warn', message: 'Present but missing default-src directive', value: csp.substring(0, 200) });
-      score += 1;
-    }
-  } else {
-    checks.push({ name: 'Content-Security-Policy', status: 'fail', message: 'Missing. Vulnerable to XSS and data injection attacks.', recommendation: "Add: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'" });
-  }
-
-  // --- X-Content-Type-Options ---
-  maxScore += 1;
   const xcto = headers['x-content-type-options'];
   if (xcto && xcto.toLowerCase() === 'nosniff') {
     checks.push({ name: 'X-Content-Type-Options', status: 'pass', message: 'nosniff — prevents MIME-type sniffing', value: xcto });
-    score += 1;
+    score += 3;
   } else {
     checks.push({ name: 'X-Content-Type-Options', status: 'fail', message: 'Missing or incorrect. Browsers may MIME-sniff responses.', recommendation: 'Add: X-Content-Type-Options: nosniff' });
   }
 
-  // --- X-Frame-Options ---
-  maxScore += 1;
+  // ==============================================
+  // IMPORTANT HEADERS (fail if missing, fewer pts)
+  // ==============================================
+
+  // --- X-Frame-Options (2 pts) ---
+  maxScore += 2;
+  const csp = headers['content-security-policy'];
   const xfo = headers['x-frame-options'];
   if (xfo) {
     const val = xfo.toUpperCase();
     if (val === 'DENY' || val === 'SAMEORIGIN') {
       checks.push({ name: 'X-Frame-Options', status: 'pass', message: `${val} — prevents clickjacking`, value: xfo });
-      score += 1;
+      score += 2;
     } else {
       checks.push({ name: 'X-Frame-Options', status: 'warn', message: `Unusual value: ${xfo}`, value: xfo });
-      score += 0.5;
+      score += 1;
     }
   } else {
     // Check if CSP has frame-ancestors
     if (csp && /frame-ancestors/i.test(csp)) {
       checks.push({ name: 'X-Frame-Options', status: 'pass', message: 'Not set, but CSP frame-ancestors provides equivalent protection', value: 'via CSP' });
-      score += 1;
+      score += 2;
     } else {
       checks.push({ name: 'X-Frame-Options', status: 'fail', message: 'Missing. Page can be embedded in iframes (clickjacking risk).', recommendation: 'Add: X-Frame-Options: DENY (or SAMEORIGIN)' });
     }
   }
 
-  // --- Referrer-Policy ---
-  maxScore += 1;
+  // --- Referrer-Policy (2 pts) ---
+  maxScore += 2;
   const rp = headers['referrer-policy'];
   const goodPolicies = ['no-referrer', 'strict-origin-when-cross-origin', 'strict-origin', 'same-origin', 'no-referrer-when-downgrade'];
   if (rp && goodPolicies.some(p => rp.toLowerCase().includes(p))) {
     checks.push({ name: 'Referrer-Policy', status: 'pass', message: `${rp}`, value: rp });
-    score += 1;
+    score += 2;
   } else if (rp) {
     checks.push({ name: 'Referrer-Policy', status: 'warn', message: `Set to "${rp}" — may leak referrer data`, value: rp });
-    score += 0.5;
+    score += 1;
+  } else {
+    checks.push({ name: 'Referrer-Policy', status: 'fail', message: 'Missing. Browser defaults may leak URL paths in referrer.', recommendation: 'Add: Referrer-Policy: strict-origin-when-cross-origin' });
+  }
+
+  // ==============================================
+  // NICE-TO-HAVE HEADERS (warn if missing, no pts)
+  // ==============================================
+
+  // --- Content-Security-Policy (bonus: 2 pts if present, warn if missing, no deduction) ---
+  maxScore += 2;
+  if (csp) {
+    const hasDefaultSrc = /default-src/i.test(csp);
+    const hasUnsafeInline = /unsafe-inline/i.test(csp);
+    const hasUnsafeEval = /unsafe-eval/i.test(csp);
+    
+    if (hasDefaultSrc && !hasUnsafeInline && !hasUnsafeEval) {
+      checks.push({ name: 'Content-Security-Policy', status: 'pass', message: 'Strong policy without unsafe directives', value: csp.substring(0, 200) + (csp.length > 200 ? '...' : '') });
+      score += 2;
+    } else if (hasDefaultSrc) {
+      const issues = [];
+      if (hasUnsafeInline) issues.push('unsafe-inline');
+      if (hasUnsafeEval) issues.push('unsafe-eval');
+      checks.push({ name: 'Content-Security-Policy', status: 'warn', message: `Present but uses ${issues.join(', ')}`, value: csp.substring(0, 200) });
+      score += 1;
+    } else {
+      checks.push({ name: 'Content-Security-Policy', status: 'warn', message: 'Present but missing default-src directive', value: csp.substring(0, 200) });
+      score += 1;
+    }
   } else {
-    checks.push({ name: 'Referrer-Policy', status: 'warn', message: 'Missing. Browser defaults may leak URL paths in referrer.', recommendation: 'Add: Referrer-Policy: strict-origin-when-cross-origin' });
+    // Warn instead of fail — CSP is hard to implement correctly
+    checks.push({ name: 'Content-Security-Policy', status: 'warn', message: 'Missing. Consider adding to protect against XSS and data injection.', recommendation: "Add: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'" });
+    score += 0; // No deduction for missing CSP
   }
 
-  // --- Permissions-Policy ---
+  // --- Permissions-Policy (bonus: 1 pt if present) ---
   maxScore += 1;
   const pp = headers['permissions-policy'] || headers['feature-policy'];
   if (pp) {
@@ -126,7 +140,7 @@ async function scanHeaders(parsedUrl, options = {}) {
     checks.push({ name: 'Permissions-Policy', status: 'warn', message: 'Missing. Browser features (camera, mic, geolocation) unrestricted.', recommendation: 'Add: Permissions-Policy: camera=(), microphone=(), geolocation=()' });
   }
 
-  // --- Cross-Origin-Opener-Policy ---
+  // --- Cross-Origin-Opener-Policy (bonus: 0.5 pts if present) ---
   maxScore += 0.5;
   const coop = headers['cross-origin-opener-policy'];
   if (coop) {
@@ -136,7 +150,7 @@ async function scanHeaders(parsedUrl, options = {}) {
     checks.push({ name: 'Cross-Origin-Opener-Policy', status: 'info', message: 'Not set. Consider adding for cross-origin isolation.' });
   }
 
-  // --- Cross-Origin-Resource-Policy ---
+  // --- Cross-Origin-Resource-Policy (bonus: 0.5 pts if present) ---
   maxScore += 0.5;
   const corp = headers['cross-origin-resource-policy'];
   if (corp) {
@@ -170,16 +184,20 @@ async function scanHeaders(parsedUrl, options = {}) {
 function fetchHeaders(parsedUrl, options = {}) {
   return new Promise((resolve, reject) => {
     const timeout = options.timeout || 10000;
+    const method = options._useGet ? 'GET' : 'HEAD';
     const protocol = parsedUrl.protocol === 'https:' ? https : http;
     
     const req = protocol.request(parsedUrl.href, {
-      method: 'HEAD',
+      method,
       timeout,
       headers: {
-        'User-Agent': 'mpx-scan/1.0.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)'
+        'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)'
       },
       rejectUnauthorized: false // We check SSL separately
     }, (res) => {
+      // Consume body for GET requests
+      if (method === 'GET') { res.resume(); }
+
       // Follow redirects (up to 5)
       if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
         const redirectUrl = new URL(res.headers.location, parsedUrl.href);
@@ -191,6 +209,14 @@ function fetchHeaders(parsedUrl, options = {}) {
           .then(resolve).catch(reject);
         return;
       }
+
+      // If HEAD returned 4xx/5xx, retry with GET (some servers reject HEAD)
+      if (!options._useGet && res.statusCode >= 400) {
+        fetchHeaders(parsedUrl, { ...options, _useGet: true })
+          .then(resolve).catch(reject);
+        return;
+      }
+
       resolve(res.headers);
     });
 

package/src/scanners/redirects.js

@@ -86,7 +86,7 @@ function followRedirect(testUrl, options = {}) {
     const req = protocol.request(testUrl.href, {
       method: 'GET',
       timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
       rejectUnauthorized: false,
     }, (res) => {
       res.resume(); // Consume body

package/src/scanners/server.js

@@ -84,14 +84,18 @@ async function scanServer(parsedUrl, options = {}) {
 function checkRedirectToHttps(httpUrl, options = {}) {
   return new Promise((resolve, reject) => {
     const timeout = options.timeout || 5000;
+    const method = options._useGet ? 'GET' : 'HEAD';
     const req = http.request(httpUrl.href, {
-      method: 'HEAD',
+      method,
       timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
     }, (res) => {
+      if (method === 'GET') { res.resume(); }
       if (res.statusCode >= 300 && res.statusCode < 400) {
         const location = res.headers.location || '';
         resolve(location.startsWith('https://'));
+      } else if (!options._useGet && res.statusCode >= 400) {
+        checkRedirectToHttps(httpUrl, { ...options, _useGet: true }).then(resolve).catch(reject);
       } else {
         resolve(false);
       }
@@ -105,16 +109,23 @@ function checkRedirectToHttps(httpUrl, options = {}) {
 function fetchWithOrigin(parsedUrl, options = {}) {
   return new Promise((resolve, reject) => {
     const timeout = options.timeout || 5000;
+    const method = options._useGet ? 'GET' : 'HEAD';
     const protocol = parsedUrl.protocol === 'https:' ? https : http;
     const req = protocol.request(parsedUrl.href, {
-      method: 'HEAD',
+      method,
       timeout,
       headers: {
-        'User-Agent': 'SiteGuard/0.1 Security Scanner',
+        'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)',
         'Origin': 'https://evil.example.com'
       },
       rejectUnauthorized: false,
     }, (res) => {
+      if (method === 'GET') { res.resume(); }
+      // HEAD returned error — retry with GET
+      if (!options._useGet && res.statusCode >= 400) {
+        fetchWithOrigin(parsedUrl, { ...options, _useGet: true }).then(resolve).catch(reject);
+        return;
+      }
       resolve(res.headers);
     });
     req.on('error', reject);
@@ -130,7 +141,7 @@ function checkMethods(parsedUrl, options = {}) {
     const req = protocol.request(parsedUrl.href, {
       method: 'OPTIONS',
       timeout,
-      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)' },
       rejectUnauthorized: false,
     }, (res) => {
       const allow = res.headers.allow || '';

package/src/scanners/sri.js

@@ -125,7 +125,7 @@ function fetchBody(parsedUrl, options = {}) {
       method: 'GET',
       timeout,
       headers: { 
-        'User-Agent': 'SiteGuard/0.1 Security Scanner',
+        'User-Agent': 'mpx-scan/1.2.1 Security Scanner (https://github.com/mesaplexdev/mpx-scan)',
         'Accept': 'text/html'
       },
       rejectUnauthorized: false,