Security sql 2025 (#4181)

* copied 2024 queries

* Added partitioned attribute to query

* Updated queries to use 2025 data

* Rewrote documentdomain usage to use crawl.pages

* Rewrote feature adaption queries to use response headers field

* Changed all except features and iframes to crawl database

* Updated feature adoption queries to match new db structure

* Updated iframe queries to match new db structure

* CA issuer over time query added

* Added expired cert query

* Updated CSP queries in line with issue 4036

* Added Audit issues query

* Removed unused query, added browser log queries

* Added document-policy-report-only

* Added doc policy to more secheader queries

* Linting

* Updated json selectors

* Better JSON selectors, removed some subqueries, removed unneeded comments

* Linting

* Subquery removal

* Fix linting error

---------

Co-authored-by: Vik Vanderlinden <vikvanderlinden@users.noreply.github.com>
Co-authored-by: Barry Pollard <barrypollard@google.com>

Author: 3 people

sql/2025/security/audit_issues.sql

@@ -0,0 +1,26 @@
+#standardSQL
+# Question: What Audit issues are present in the pages? https://chromedevtools.github.io/devtools-protocol/tot/Audits/#type-InspectorIssueCode
+SELECT
+  client,
+  issuename,
+  COUNT(DISTINCT page) AS total_pages,
+  COUNT(DISTINCT IF(LOWER(JSON_VALUE(issue.code)) = LOWER(issuename), page, NULL)) AS count_with_issue,
+  COUNT(DISTINCT IF(LOWER(JSON_VALUE(issue.code)) = LOWER(issuename), page, NULL)) / COUNT(DISTINCT page) AS pct_with_issue
+FROM
+  `httparchive.crawl.pages`,
+  UNNEST(JSON_QUERY_ARRAY(payload._audit_issues)) AS issue,
+  UNNEST([
+    'CookieIssue',
+    'MixedContentIssue',
+    'ContentSecurityPolicyIssue',
+    'CorsIssue'
+  ]) AS issuename
+WHERE
+  date = '2025-07-01' AND
+  is_root_page
+GROUP BY
+  client,
+  issuename
+ORDER BY
+  client,
+  pct_with_issue DESC

sql/2025/security/bot_detection.sql

@@ -0,0 +1,38 @@
+#standardSQL
+# Section: Attack Preventions - Bot protection services
+# Question: Which bot protection services are used most often on mobile and desktop sites?
+# Notes: The Wappalyzer 'Security' category mostly contains bot protection services such as reCAPTCHA and Cloudflare Bot Management
+# Issue: Due to some updates to wappalyzer the 'Security' category now also contains 'HSTS' (security header) and 'Really Simple SSL & Security' in significant numbers. Do we want to filter them out?
+SELECT
+  client,
+  t.technology,
+  COUNT(0) AS freq,
+  total,
+  COUNT(0) / total AS pct
+FROM
+  `httparchive.crawl.pages`,
+  UNNEST(technologies) AS t,
+  UNNEST(t.categories) AS category
+JOIN (
+  SELECT
+    client,
+    COUNT(0) AS total
+  FROM
+    `httparchive.crawl.pages`
+  WHERE
+    date = '2025-07-01' AND
+    is_root_page
+  GROUP BY
+    client
+)
+USING (client)
+WHERE
+  date = '2025-07-01' AND
+  category = 'Security' AND
+  is_root_page
+GROUP BY
+  client,
+  total,
+  t.technology
+ORDER BY
+  pct DESC

sql/2025/security/browser_logs.sql

@@ -0,0 +1,35 @@
+SELECT
+  client,
+  COUNT(0) AS total_pages,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'Mixed Content')) AS mixed_content_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'Mixed Content')) / COUNT(0) AS mixed_content_freq,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'has been blocked by CORS policy')) AS cors_blocked_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'has been blocked by CORS policy')) / COUNT(0) AS cors_blocked_freq,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'Content Security Policy') OR REGEXP_CONTAINS(JSON_VALUE(logs, '$.text'), 'Content-Security-Policy')) AS content_security_policy_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'Content Security Policy') OR REGEXP_CONTAINS(JSON_VALUE(logs, '$.text'), 'Content-Security-Policy')) / COUNT(0) AS content_security_policy_freq,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'Error with Feature-Policy')) AS error_with_feature_policy_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'Error with Feature-Policy')) / COUNT(0) AS error_with_feature_policy_freq,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'Error with Permissions-Policy')) AS error_with_permissions_policy_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'Error with Permissions-Policy')) / COUNT(0) AS error_with_permissions_policy_freq,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'because its MIME type')) AS x_content_type_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'because its MIME type')) / COUNT(0) AS x_content_type_freq,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'X-Frame-Options')) AS x_frame_options_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'X-Frame-Options')) / COUNT(0) AS x_frame_options_freq,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'The request has been aborted')) AS navigator_credentials_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'The request has been aborted')) / COUNT(0) AS navigator_credentials_freq,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'The Cross-Origin-Opener-Policy has been ignored')) AS cross_originer_opener_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'The Cross-Origin-Opener-Policy has been ignored')) / COUNT(0) AS cross_originer_opener_freq,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'Document-Policy HTTP header') OR REGEXP_CONTAINS(JSON_VALUE(logs, '$.text'), 'Document Policy violation')) AS document_policy_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'Document-Policy HTTP header') OR REGEXP_CONTAINS(JSON_VALUE(logs, '$.text'), 'Document Policy violation')) / COUNT(0) AS document_policy_freq,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'The resource has been blocked')) AS subresource_integrity_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'The resource has been blocked')) / COUNT(0) AS subresource_integrity_freq,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'This document requires')) AS trusted_types_count,
+  COUNTIF(REGEXP_CONTAINS(JSON_VALUE(logs.text), 'This document requires')) / COUNT(0) AS trusted_types_freq
+FROM
+  `httparchive.crawl.pages`,
+  UNNEST(JSON_QUERY_ARRAY(payload, '$._browser_logs')) AS logs
+WHERE
+  date = '2025-07-01' AND
+  is_root_page
+GROUP BY
+  client

sql/2025/security/clear-site-data_value_prevalence.sql

@@ -0,0 +1,25 @@
+#standardSQL
+# Section: Attack preventions - Preventing attacks using Clear-Site-Data
+# Question: Which Clear-Site-Data header values are most prevalent?
+# Notes: Many used values are still invalid (without quotes). We only count each host-value pair once.
+SELECT
+  client,
+  response_headers.value AS csd_header,
+  SUM(COUNT(DISTINCT NET.HOST(url))) OVER (PARTITION BY client) AS total_csd_headers,
+  COUNT(DISTINCT NET.HOST(url)) AS freq,
+  COUNT(DISTINCT NET.HOST(url)) / SUM(COUNT(DISTINCT NET.HOST(url))) OVER (PARTITION BY client) AS pct
+FROM
+  `httparchive.crawl.requests`,
+  UNNEST(response_headers) AS response_headers
+WHERE
+  date = '2025-07-01' AND
+  is_root_page AND
+  # is_main_document AND # (Uncomment to only run on the main document response; majority of CSD headers are set on them)
+  LOWER(response_headers.name) = 'clear-site-data'
+GROUP BY
+  client,
+  csd_header
+ORDER BY
+  pct DESC
+LIMIT
+  100

sql/2025/security/coep_header_prevalence.sql

@@ -0,0 +1,31 @@
+#standardSQL
+# Section: Attack Preventions - Preventing attacks using Cross-Origin policies
+# Question: Which are the most common COEP values?
+# Note: Considers headers of main document responses only
+SELECT
+  client,
+  coep_header,
+  SUM(COUNT(DISTINCT host)) OVER (PARTITION BY client) AS total_coep_headers,
+  COUNT(DISTINCT host) AS freq,
+  COUNT(DISTINCT host) / SUM(COUNT(DISTINCT host)) OVER (PARTITION BY client) AS pct
+FROM (
+  SELECT
+    client,
+    NET.HOST(url) AS host,
+    response_headers.value AS coep_header
+  FROM
+    `httparchive.crawl.requests`,
+    UNNEST(response_headers) AS response_headers
+  WHERE
+    date = '2025-07-01' AND
+    is_root_page AND
+    is_main_document AND
+    LOWER(response_headers.name) = 'cross-origin-embedder-policy'
+)
+GROUP BY
+  client,
+  coep_header
+ORDER BY
+  pct DESC
+LIMIT
+  100

sql/2025/security/cookie_age_negative.sql

@@ -0,0 +1,130 @@
+#standardSQL
+# Section: Cookies - Cookie Age
+# Question: How many cookies (total, hosts, pages) have negative Max-Age, Expires and real age (Max-Age has precedence over Expires) attributes?
+# Note: Query is expensive and slow (14TB). Query is inefficient (We create a result array of length 1 for each cookie-attribute for each cookie and then unnest it again; We could instead not use arrays and skip the unnesting).
+# Note: Some of the percentages are quite different to the old query; one of both might be broken (difficult to compare as both cannot operate on a shared dataset)
+CREATE TEMPORARY FUNCTION getCookieAgeValues(cookie_value STRING, epochOfRequest NUMERIC)
+RETURNS STRING DETERMINISTIC
+LANGUAGE js AS '''
+  const regexMaxAge = new RegExp(/max-age\\s*=\\s*(?<value>-*[0-9]+)/i);
+  const regexExpires = new RegExp(/expires\\s*=\\s*(?<value>.*?)(;|$)/i);
+  const cookieValues = [cookie_value];
+  const result = {
+      "maxAge": [],
+      "expires": [],
+      "realAge": []
+  };
+  cookieValues.forEach(cookie => {
+      let maxAge = null;
+      let expires = null;
+      if (regexMaxAge.exec(cookie)) {
+          maxAge = Number(regexMaxAge.exec(cookie)[1]);
+          result["maxAge"].push(maxAge);
+      }
+      if (regexExpires.exec(cookie)) {
+          expires = Math.round(Number(new Date(regexExpires.exec(cookie)[1])) / 1000) - epochOfRequest;
+          result["expires"].push(Number.isSafeInteger(expires) ? expires : null);
+      }
+      if (maxAge) {
+          result["realAge"].push(maxAge);
+      } else if (expires) {
+          result["realAge"].push(expires);
+      }
+  });
+  return JSON.stringify(result);
+''';
+
+WITH age_values AS (
+  SELECT
+    client,
+    page,
+    NET.HOST(url) AS host,
+    getCookieAgeValues(response_headers.value, INT64(summary.startedDateTime)) AS values
+  FROM
+    `httparchive.crawl.requests`,
+    UNNEST(response_headers) AS response_headers
+  WHERE
+    date = '2025-07-01' AND
+    is_root_page AND
+    LOWER(response_headers.name) = 'set-cookie'
+),
+
+max_age_values AS (
+  SELECT
+    client,
+    COUNTIF(SAFE_CAST(max_age_value AS NUMERIC) <= 0) AS count_negative_max_age,
+    SUM(COUNT(0)) OVER (PARTITION BY client) AS total_max_age_cookies,
+    COUNT(DISTINCT IF(SAFE_CAST(max_age_value AS NUMERIC) <= 0, page, NULL)) AS num_max_age_pages,
+    COUNT(DISTINCT page) AS total_max_age_pages,
+    COUNT(DISTINCT IF(SAFE_CAST(max_age_value AS NUMERIC) <= 0, host, NULL)) AS num_max_age_hosts,
+    COUNT(DISTINCT host) AS total_max_age_hosts
+  FROM age_values,
+    UNNEST(JSON_QUERY_ARRAY(values, '$.maxAge')) AS max_age_value
+  GROUP BY
+    client
+  ORDER BY
+    client
+),
+
+expires_values AS (
+  SELECT
+    client,
+    COUNTIF(SAFE_CAST(expires_value AS NUMERIC) <= 0) AS count_negative_expires,
+    SUM(COUNT(0)) OVER (PARTITION BY client) AS total_expires_cookies,
+    COUNT(DISTINCT IF(SAFE_CAST(expires_value AS NUMERIC) <= 0, page, NULL)) AS num_expires_pages,
+    COUNT(DISTINCT page) AS total_expires_pages,
+    COUNT(DISTINCT IF(SAFE_CAST(expires_value AS NUMERIC) <= 0, host, NULL)) AS num_expires_hosts,
+    COUNT(DISTINCT host) AS total_expires_hosts
+  FROM age_values,
+    UNNEST(JSON_QUERY_ARRAY(values, '$.expires')) AS expires_value
+  GROUP BY
+    client
+  ORDER BY
+    client
+),
+
+real_age_values AS (
+  SELECT
+    client,
+    COUNTIF(SAFE_CAST(real_age_value AS NUMERIC) <= 0) AS count_negative_real_age,
+    SUM(COUNT(0)) OVER (PARTITION BY client) AS total_real_age_cookies,
+    COUNT(DISTINCT IF(SAFE_CAST(real_age_value AS NUMERIC) <= 0, page, NULL)) AS num_real_age_pages,
+    COUNT(DISTINCT page) AS total_real_age_pages,
+    COUNT(DISTINCT IF(SAFE_CAST(real_age_value AS NUMERIC) <= 0, host, NULL)) AS num_real_age_hosts,
+    COUNT(DISTINCT host) AS total_real_age_hosts
+  FROM age_values,
+    UNNEST(JSON_QUERY_ARRAY(values, '$.realAge')) AS real_age_value
+  GROUP BY
+    client
+  ORDER BY
+    client
+)
+
+SELECT
+  client,
+  count_negative_max_age,
+  count_negative_max_age / total_max_age_cookies AS pct_negative_max_age,
+  num_max_age_pages,
+  num_max_age_pages / total_max_age_pages AS pct_max_age_pages,
+  num_max_age_hosts,
+  num_max_age_hosts / total_max_age_hosts AS pct_max_age_hosts,
+  count_negative_expires,
+  count_negative_expires / total_expires_cookies AS pct_negative_expires,
+  num_expires_pages,
+  num_expires_pages / total_expires_pages AS pct_expires_pages,
+  num_expires_hosts,
+  num_expires_hosts / total_expires_hosts AS pct_expires_hosts,
+  count_negative_real_age,
+  count_negative_real_age / total_real_age_cookies AS pct_negative_real_age,
+  num_real_age_pages,
+  num_real_age_pages / total_real_age_pages AS pct_real_age_pages,
+  num_real_age_hosts,
+  num_real_age_hosts / total_real_age_hosts AS pct_real_age_hosts
+FROM
+  max_age_values
+JOIN expires_values
+USING (client)
+JOIN real_age_values
+USING (client)
+ORDER BY
+  client