Security sql 2025 update (#4338)

vsdaan · tunetheweb · web-flow · commit 077eba809ade · 2026-01-12T11:00:21.000Z
* Changes to 2025 security queries to fix small issues encountered during writing

* Fix merge markers

* Apply suggestions from code review

* Update sql/2025/security/https_server_redirects.sql

---------

Co-authored-by: Barry Pollard &lt;barrypollard@google.com&gt;
diff --git a/sql/2025/security/cookie_age_percentiles.sql b/sql/2025/security/cookie_age_percentiles.sql
@@ -37,7 +37,7 @@ LANGUAGE js AS '''
 WITH age_values AS (
   SELECT
     client,
-    getCookieAgeValues(response_headers.value, INT64(summary.startedDateTime)) AS values
+    getCookieAgeValues(response_headers.value, UNIX_SECONDS(TIMESTAMP(STRING(payload.startedDateTime)))) AS values
   FROM
     `httparchive.crawl.requests`,
     UNNEST(response_headers) AS response_headers
diff --git a/sql/2025/security/cookie_max_age_expires_top_values.sql b/sql/2025/security/cookie_max_age_expires_top_values.sql
@@ -34,7 +34,7 @@ WITH max_age_values AS (
   FROM
     `httparchive.crawl.requests`,
     UNNEST(response_headers) AS rh,
-    UNNEST(JSON_QUERY_ARRAY(getCookieAgeValues(rh.value, INT64(summary.startedDateTime))), '$.maxAge') AS max_age_value
+    UNNEST(JSON_QUERY_ARRAY(getCookieAgeValues(rh.value, INT64(summary.startedDateTime)), '$.maxAge')) AS max_age_value
   WHERE
     date = '2025-07-01' AND
     is_root_page AND
@@ -46,7 +46,7 @@ expires_values AS (
     client,
     expires_value
   FROM
-    `httparchive.all.requests`,
+    `httparchive.crawl.requests`,
     UNNEST(response_headers) AS rh,
     UNNEST(JSON_QUERY_ARRAY(getCookieAgeValues(rh.value, INT64(summary.startedDateTime)), '$.expires')) AS expires_value
   WHERE
diff --git a/sql/2025/security/csp_script_source_list_keywords_per_request.sql b/sql/2025/security/csp_script_source_list_keywords_per_request.sql
@@ -24,18 +24,19 @@ FROM (
   SELECT
     client,
     COUNT(0) AS total_pages_with_csp,
-    COUNTIF(csp_header IS NOT NULL) AS freq_csp,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src')) AS freq_default_script_src,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src[^;]+strict-dynamic')) AS freq_strict_dynamic,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src[^;]+nonce-')) AS freq_nonce,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src[^;]+unsafe-inline')) AS freq_script_unsafe_inline,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src[^;]+unsafe-eval')) AS freq_script_unsafe_eval,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)unsafe-inline')) AS freq_unsafe_inline,
-    COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)unsafe-eval')) AS freq_unsafe_eval
+    COUNTIF(csp_combined IS NOT NULL) AS freq_csp,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)(default|script)-src')) AS freq_default_script_src,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)(default|script)-src[^;]+strict-dynamic')) AS freq_strict_dynamic,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)(default|script)-src[^;]+nonce-')) AS freq_nonce,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)(default|script)-src[^;]+unsafe-inline')) AS freq_script_unsafe_inline,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)(default|script)-src[^;]+unsafe-eval')) AS freq_script_unsafe_eval,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)unsafe-inline')) AS freq_unsafe_inline,
+    COUNTIF(REGEXP_CONTAINS(csp_combined, '(?i)unsafe-eval')) AS freq_unsafe_eval
   FROM (
     SELECT
       client,
-      response_headers.value AS csp_header
+      url,
+      STRING_AGG(response_headers.value, '; ') AS csp_combined
     FROM
       `httparchive.crawl.requests`,
       UNNEST(response_headers) AS response_headers
@@ -44,6 +45,8 @@ FROM (
       is_root_page AND
       is_main_document AND
       LOWER(response_headers.name) = 'content-security-policy'
+    GROUP BY
+      client, url
   )
   GROUP BY
     client
diff --git a/sql/2025/security/hsts_attributes.sql b/sql/2025/security/hsts_attributes.sql
@@ -3,23 +3,25 @@
 # Question: How many websites use HSTS includeSubDomains and preload?
 SELECT
   client,
-  COUNT(0) AS total_requests,
-  COUNTIF(hsts_header_val IS NOT NULL) AS total_hsts_headers,
-  COUNTIF(hsts_header_val IS NOT NULL) / COUNT(0) AS pct_hsts_requests,
-  COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)max-age\s*=\s*\d+') AND NOT REGEXP_CONTAINS(CONCAT(hsts_header_val, ' '), r'(?i)max-age\s*=\s*0\W')) / COUNTIF(hsts_header_val IS NOT NULL) AS pct_valid_max_age,
-  COUNTIF(REGEXP_CONTAINS(CONCAT(hsts_header_val, ' '), r'(?i)max-age\s*=\s*0\W')) / COUNTIF(hsts_header_val IS NOT NULL) AS pct_zero_max_age,
-  COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)includeSubDomains')) / COUNTIF(hsts_header_val IS NOT NULL) AS pct_include_subdomains,
-  COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)preload')) / COUNTIF(hsts_header_val IS NOT NULL) AS pct_preload
+  COUNT(0) AS total_requests_with_hsts_header,
+  COUNTIF(hsts_header_val IS NOT NULL) AS total_non_null_hsts_headers,
+  SAFE_DIVIDE(COUNTIF(hsts_header_val IS NOT NULL), COUNT(0)) AS pct_hsts_requests,
+  SAFE_DIVIDE(COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)max-age\s*=\s*\d+') AND NOT REGEXP_CONTAINS(CONCAT(hsts_header_val, ' '), r'(?i)max-age\s*=\s*0\W')), COUNTIF(hsts_header_val IS NOT NULL)) AS pct_valid_max_age,
+  SAFE_DIVIDE(COUNTIF(REGEXP_CONTAINS(CONCAT(hsts_header_val, ' '), r'(?i)max-age\s*=\s*0\W')), COUNTIF(hsts_header_val IS NOT NULL)) AS pct_zero_max_age,
+  SAFE_DIVIDE(COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)includeSubDomains')), COUNTIF(hsts_header_val IS NOT NULL)) AS pct_include_subdomains,
+  SAFE_DIVIDE(COUNTIF(REGEXP_CONTAINS(hsts_header_val, r'(?i)preload')), COUNTIF(hsts_header_val IS NOT NULL)) AS pct_preload
 FROM (
   SELECT
     client,
-    REGEXP_EXTRACT(summary.respOtherHeaders, r'(?i)strict-transport-security =([^,]+)') AS hsts_header_val
+    response_headers.value AS hsts_header_val
   FROM
-    `httparchive.crawl.requests`
+    `httparchive.crawl.requests`,
+    UNNEST(response_headers) AS response_headers
   WHERE
     date = '2025-07-01' AND
     is_root_page AND
-    is_main_document
+    is_main_document AND
+    LOWER(response_headers.name) = 'strict-transport-security'
 )
 GROUP BY
   client
diff --git a/sql/2025/security/https_server_redirects.sql b/sql/2025/security/https_server_redirects.sql
@@ -8,10 +8,11 @@ SELECT
   COUNT(DISTINCT url) AS total_urls_on_page,
   COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' THEN url END)) AS count_http_urls_on_page,
   COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' THEN url END)) / COUNT(DISTINCT url) AS pct_http_urls_on_page,
-  COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' AND STRING(summary.resp_location) LIKE 'https://%' AND INT64(summary.status) BETWEEN 300 AND 399 THEN url END)) AS count_http_urls_with_https_redirect_on_page,
-  COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' AND STRING(summary.resp_location) LIKE 'https://%' AND INT64(summary.status) BETWEEN 300 AND 399 THEN url END)) / COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' THEN url END)) AS pct_http_urls_with_https_redirect_on_page
+  COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' AND (SELECT value FROM UNNEST(response_headers) WHERE LOWER(name) = 'location' LIMIT 1) LIKE 'https://%' AND INT64(summary.status) BETWEEN 300 AND 399 THEN url END)) AS count_http_urls_with_https_redirect_on_page, -- noqa: AM09
+  COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' AND (SELECT value FROM UNNEST(response_headers) WHERE LOWER(name) = 'location' LIMIT 1) LIKE 'https://%' AND INT64(summary.status) BETWEEN 300 AND 399 THEN url END)) / COUNT(DISTINCT(CASE WHEN url LIKE 'http://%' THEN url END)) AS pct_http_urls_with_https_redirect_on_page -- noqa: AM09
 FROM
-  `httparchive.crawl.requests`
+  `httparchive.crawl.requests`,
+  UNNEST(response_headers) AS response_headers
 WHERE
   date = '2025-07-01' AND
   is_root_page
diff --git a/sql/2025/security/robot_txt_sensitive_disallow.sql b/sql/2025/security/robot_txt_sensitive_disallow.sql
@@ -4,16 +4,10 @@
 CREATE TEMPORARY FUNCTION getAllDisallowedEndpoints(data JSON)
 RETURNS ARRAY<STRING> DETERMINISTIC
 LANGUAGE js AS '''
-  let parsed_data;
-  try {
-    parsed_data = JSON.parse(data);
-  } catch (e) {
+  if (data == null || data["/robots.txt"] == undefined || !data["/robots.txt"]["found"]) {
       return [];
   }
-  if (parsed_data == null || parsed_data["/robots.txt"] == undefined || !parsed_data["/robots.txt"]["found"]) {
-      return [];
-  }
-  const parsed_endpoints = parsed_data["/robots.txt"]["data"]["matched_disallows"];
+  const parsed_endpoints = data["/robots.txt"]["data"]["matched_disallows"];
   const endpoints_list = Object.keys(parsed_endpoints).map(key => parsed_endpoints[key]).flat();
   return Array.from(new Set(endpoints_list));
 ''';
diff --git a/sql/2025/security/sri_coverage_per_page.sql b/sql/2025/security/sri_coverage_per_page.sql
@@ -1,7 +1,7 @@
 #standardSQL
 # Section: Content Inclusion - Subresource Integriy
 # Question: How many scripts on a page have the integrity attribute? (percentage)
-CREATE TEMP FUNCTION getNumScriptElements(sris ARRAY<STRING>) AS (
+CREATE TEMP FUNCTION getNumScriptElements(sris ARRAY<JSON>) AS (
   (SELECT COUNT(0) FROM UNNEST(sris) AS sri WHERE JSON_EXTRACT_SCALAR(sri, '$.tagname') = 'script')
 );
 
diff --git a/sql/2025/security/tls_ca_issuers_pages_over_time.sql b/sql/2025/security/tls_ca_issuers_pages_over_time.sql
@@ -3,6 +3,7 @@
 # Question: What is the distribution of CA issuers for all pages over time?
 # Note: currently includes HTTP (i.e., pages with no issuer)
 SELECT
+  date,
   client,
   issuer,
   SUM(COUNT(0)) OVER (PARTITION BY client, date) AS total_https_pages,
@@ -23,10 +24,12 @@ FROM (
   GROUP BY
     client,
     request_host,
-    issuer
+    issuer,
+    date
 )
 GROUP BY
   client,
-  issuer
+  issuer,
+  date
 ORDER BY
-  pct DESC
+  date DESC
