detecting client secrets (#150)

* detecting client secrets

* Disabled link-checker for https://blog.cloudflare.com/high-reliability-ocsp-stapling/ because it's consistently failing even though the link does work

Co-authored-by: andyblundell <[email protected]>

Author: walteck

nhsd-git-secrets/nhsd-rules-linux-mac.txt

@@ -16,3 +16,4 @@ dynamodb\.[a-z]{2}-[a-z-]*-[1,2,3]\.amazonaws\.com
 -----BEGIN[[:blank:]]CERTIFICATE-----
 [0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}
 [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
+(CLIENT|client|Client)(_|\s)(SECRET|secret|Secret)\s*(:|=>|=)\s*("|')?(\{)?[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\})?("|')?

practices/security.md

@@ -62,7 +62,7 @@ The remainder of this page gives more detailed and specific recommendations to b
   - Minimum necessary feedback on failed authentication e.g. 404 or blanket 403 when not authenticated to avoid leaking whether resources exist
   - Guard against time based authentication attacks, e.g. using a WAF
 - Guarded against invalid **certificates** e.g. expiry monitoring.
-  - Consider [OCSP stapling](https://blog.cloudflare.com/high-reliability-ocsp-stapling/) for improved performance
+  - Consider <!-- markdown-link-check-disable -->[OCSP stapling](https://blog.cloudflare.com/high-reliability-ocsp-stapling/)<!-- markdown-link-check-enable --> for improved performance
 - Ensure **cookies** cannot leak from production to non-production environments e.g. avoid non-production on subdomain of production domain
 - Prevent **[clickjacking](https://sudo.pagerduty.com/for_engineers/#clickjacking)** with `X-Frame-Options`
 - Be careful not to **leak information**, e.g. error messages, stack traces, headers