orion/app/modules/prospecting/services/security_audit_constants.py

# app/modules/prospecting/services/security_audit_constants.py
"""
Constants for security audit checks.

Structural data used by SecurityAuditService. Translations for report
generation are kept in the standalone script (scripts/security-audit/audit.py)
until Phase 2B (report service) migrates them.
"""

# Severity scores — deducted from a starting score of 100
SEVERITY_SCORES = {
    "critical": 15,
    "high": 10,
    "medium": 5,
    "low": 2,
    "info": 0,
}

# Security headers to check and their severity if missing
SECURITY_HEADERS = {
    "Strict-Transport-Security": {"severity": "high", "impact": "MITM attacks, session hijacking via HTTP downgrade"},
    "Content-Security-Policy": {"severity": "high", "impact": "XSS attacks, script injection, data theft"},
    "X-Frame-Options": {"severity": "medium", "impact": "Clickjacking attacks via invisible iframes"},
    "X-Content-Type-Options": {"severity": "medium", "impact": "MIME type confusion, content injection"},
    "Referrer-Policy": {"severity": "low", "impact": "URL parameter leakage to third parties"},
    "Permissions-Policy": {"severity": "low", "impact": "Unrestricted browser API access (camera, mic, location)"},
    "X-XSS-Protection": {"severity": "info", "impact": "Legacy XSS filter not configured"},
}

# Paths to check for exposed sensitive files/directories
EXPOSED_PATHS = [
    ("/.env", "Environment file (database passwords, API keys)", "critical"),
    ("/.git/config", "Git repository (full source code)", "critical"),
    ("/.git/HEAD", "Git repository HEAD", "critical"),
    ("/.htpasswd", "Password file", "critical"),
    ("/wp-admin/", "WordPress admin panel", "high"),
    ("/wp-login.php", "WordPress login page", "high"),
    ("/administrator/", "Joomla admin panel", "high"),
    ("/admin/", "Admin panel", "high"),
    ("/admin/login", "Admin login page", "high"),
    ("/phpmyadmin/", "phpMyAdmin (database manager)", "high"),
    ("/backup/", "Backup directory", "high"),
    ("/backup.zip", "Backup archive", "high"),
    ("/backup.sql", "Database backup", "high"),
    ("/db.sql", "Database dump", "high"),
    ("/dump.sql", "Database dump", "high"),
    ("/.htaccess", "Server configuration", "medium"),
    ("/web.config", "IIS configuration", "medium"),
    ("/server-status", "Apache server status", "medium"),
    ("/server-info", "Apache server info", "medium"),
    ("/info.php", "PHP info page", "medium"),
    ("/phpinfo.php", "PHP info page", "medium"),
    ("/graphql", "GraphQL endpoint", "medium"),
    ("/debug/", "Debug endpoint", "medium"),
    ("/elmah.axd", ".NET error log", "medium"),
    ("/trace.axd", ".NET trace log", "medium"),
    ("/readme.html", "CMS readme (reveals version)", "low"),
    ("/license.txt", "CMS license (reveals version)", "low"),
    ("/CHANGELOG.md", "Changelog (reveals version)", "low"),
    ("/robots.txt", "Robots file", "info"),
    ("/.well-known/security.txt", "Security contact file", "info"),
    ("/sitemap.xml", "Sitemap", "info"),
    ("/crossdomain.xml", "Flash cross-domain policy", "low"),
    ("/api/", "API endpoint", "info"),
]

# Paths that are admin panels (separate severity logic)
ADMIN_PATHS = {"/wp-admin/", "/wp-login.php", "/administrator/", "/admin/", "/admin/login"}

# Robots.txt disallow patterns that may reveal sensitive areas
ROBOTS_SENSITIVE_PATTERNS = [
    "admin", "backup", "private", "secret", "staging",
    "test", "dev", "internal", "api", "config",
    "database", "panel", "dashboard", "login", "cgi-bin",
]