10 files changed, 313 insertions, 0 deletions

diff --git a/doc/update/index.md b/doc/update/index.md
index 973e111fe3c..ca44c22a10e 100644
--- a/doc/update/index.md
+++ b/doc/update/index.md
@@ -303,6 +303,12 @@ NOTE:
 Specific information that follow related to Ruby and Git versions do not apply to [Omnibus installations](https://docs.gitlab.com/omnibus/)
 and [Helm Chart deployments](https://docs.gitlab.com/charts/). They come with appropriate Ruby and Git versions and are not using system binaries for Ruby and Git. There is no need to install Ruby or Git when utilizing these two approaches.
 
+### 14.5.0
+
+When `make` is run, Gitaly builds are now created in `_build/bin` and no longer in the root directory of the source directory. If you
+are using a source install, update paths to these binaries in your init scripts by
+[following the documentation](upgrading_from_source.md#init-script).
+
 ### 14.4.0
 
 Git 2.33.x and later is required. We recommend you use the
diff --git a/doc/user/application_security/dast/checks/1004.1.md b/doc/user/application_security/dast/checks/1004.1.md
new file mode 100644
index 00000000000..cbbcea1d34d
--- /dev/null
+++ b/doc/user/application_security/dast/checks/1004.1.md
@@ -0,0 +1,41 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Sensitive cookie without `HttpOnly` attribute
+
+## Description
+
+The {cookie_name} cookie was transmitted in a `Set-Cookie` header without the `HttpOnly` attribute set.
+To prevent JavaScript being able to access the cookie value - usually via `document.cookies` - all
+cookies that are used for authorization or contain sensitive information should have the `HttpOnly` attribute
+set.
+
+## Remediation
+
+Most web application frameworks allow configuring how cookies are sent to user-agents. Consult your framework's
+documentation for more information on how to enable various security directives when assigning cookies to clients.
+
+If the application is assigning cookies via writing to the response headers directly, ensure all responses include
+the `HttpOnly` attribute. By enabling this protection, the application is able to mitigate the impact of
+certain Cross-Site Scripting (XSS) attacks.
+
+Example:
+
+```http
+Set-Cookie: {cookie_name}=<random secure value>; HttpOnly
+```
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 1004.1 | false | 1004 | Passive | Low |
+
+## Links
+
+- [owasp](https://owasp.org/www-community/HttpOnly)
+- [cwe](https://cwe.mitre.org/data/definitions/1004.html)
+- [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)
diff --git a/doc/user/application_security/dast/checks/16.1.md b/doc/user/application_security/dast/checks/16.1.md
new file mode 100644
index 00000000000..bb030d2f9c4
--- /dev/null
+++ b/doc/user/application_security/dast/checks/16.1.md
@@ -0,0 +1,33 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Missing Content-Type header
+
+## Description
+
+The `Content-Type` header ensures that user agents correctly interpret the data being received. Without this header
+being sent, the browser may misinterpret the data, leading to MIME confusion attacks. If an attacker were able
+to upload files that are accessible by using a browser, they could upload files that may be interpreted as
+HTML and so execute Cross-Site Scripting (XSS) attacks.
+
+## Remediation
+
+Ensure all resources return a proper `Content-Type` header that matches their format. As an example,
+when returning JavaScript files, the response header should be: `Content-Type: application/javascript`
+
+For added protection, we recommend that all resources return the `X-Content-Type-Options: nosniff`
+header to disable user agents from mis-interpreting resources.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 16.1 | true | 16 | Passive | Low |
+
+## Links
+
+- [cwe](https://cwe.mitre.org/data/definitions/16.html)
+- [Mozilla Blog on MIME Confusion attacks](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/)
diff --git a/doc/user/application_security/dast/checks/16.2.md b/doc/user/application_security/dast/checks/16.2.md
new file mode 100644
index 00000000000..95461e8677d
--- /dev/null
+++ b/doc/user/application_security/dast/checks/16.2.md
@@ -0,0 +1,44 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Server header exposes version information
+
+## Description
+
+The target website returns the `Server` header and version information of this website. By
+exposing these values, attackers may attempt to identify if the target software is vulnerable to known
+vulnerabilities, or catalog known sites running particular versions to exploit in the future when a
+vulnerability is identified in the particular version.
+
+## Remediation
+
+We recommend that the version information be removed from the `Server` header.
+
+Apache:
+For Apache based web sites, set the `ServerTokens` to `Prod` in the `httpd.conf` configuration file.
+
+NGINX:
+For NGINX based websites, set the `server_tokens` configuration value to `off` in the `nginx.conf` file.
+
+IIS:
+For IIS based websites version 10 and above you can use the `removeServerHeader` element to the `requestFiltering`
+section of the `Web.config` file.
+
+For all other server types, please consult your product's documentation on how to redact the version information from
+the `Server` header.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 16.2 | true | 16 | Passive | Low |
+
+## Links
+
+- [cwe](https://cwe.mitre.org/data/definitions/16.html)
+- [Apache ServerTokens](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/)
+- [NGINX server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens)
+- [IIS 10 Remove Server Header](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/#attributes)
diff --git a/doc/user/application_security/dast/checks/16.3.md b/doc/user/application_security/dast/checks/16.3.md
new file mode 100644
index 00000000000..e4dcf3ece4b
--- /dev/null
+++ b/doc/user/application_security/dast/checks/16.3.md
@@ -0,0 +1,35 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# X-Powered-By header exposes version information
+
+## Description
+
+The target website returns the `X-Powered-By` header and version information of this website. By
+exposing these values, attackers may attempt to identify if the target software is vulnerable to known
+vulnerabilities, or catalog known sites running particular versions to exploit in the future when a
+vulnerability is identified in the particular version.
+
+## Remediation
+
+We recommend that the version information be removed from the `X-Powered-By` header.
+
+PHP:
+For PHP based web sites, set the `expose_php` option to `off` in the `php.ini` configuration file.
+
+For all other server types, please consult your product's documentation on how to redact the version
+information from the `X-Powered-By` header.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 16.3 | true | 16 | Passive | Low |
+
+## Links
+
+- [cwe](https://cwe.mitre.org/data/definitions/16.html)
+- [PHP expose_php](https://www.php.net/manual/en/ini.core.php#ini.expose-php)
diff --git a/doc/user/application_security/dast/checks/16.4.md b/doc/user/application_security/dast/checks/16.4.md
new file mode 100644
index 00000000000..c0161c910b0
--- /dev/null
+++ b/doc/user/application_security/dast/checks/16.4.md
@@ -0,0 +1,28 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# X-Backend-Server header exposes server information
+
+## Description
+
+The target website returns the `X-Backend-Server` header which includes potentially internal/hidden IP addresses
+or hostnames. By exposing these values, attackers may attempt to circumvent security proxies and access these
+hosts directly.
+
+## Remediation
+
+Consult your proxy/load balancer documentation or provider on how to disable revealing the
+`X-Backend-Server` header value.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 16.4 | true | 16 | Passive | Info |
+
+## Links
+
+- [cwe](https://cwe.mitre.org/data/definitions/16.html)
diff --git a/doc/user/application_security/dast/checks/16.5.md b/doc/user/application_security/dast/checks/16.5.md
new file mode 100644
index 00000000000..8a6f3cd8b6a
--- /dev/null
+++ b/doc/user/application_security/dast/checks/16.5.md
@@ -0,0 +1,30 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# AspNet Header(s) exposes version information
+
+## Description
+
+The target website returns AspNet header(s) and version information of this website. By
+exposing these values attackers may attempt to identify if the target software is vulnerable to known
+vulnerabilities, or catalog known sites running particular versions to exploit in the future when a
+vulnerability is identified in the particular version.
+
+## Remediation
+
+To remove the `X-AspNet-Version` header set `<httpRuntime enableVersionHeader="false" />` in the `<system.Web>`
+section of the `Web.config` file.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 16.5 | true | 16 | Passive | Low |
+
+## Links
+
+- [cwe](https://cwe.mitre.org/data/definitions/16.html)
+- [IIS Remove Unwanted Headers](https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710)
diff --git a/doc/user/application_security/dast/checks/614.1.md b/doc/user/application_security/dast/checks/614.1.md
new file mode 100644
index 00000000000..74ac73935f1
--- /dev/null
+++ b/doc/user/application_security/dast/checks/614.1.md
@@ -0,0 +1,40 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Sensitive cookie without `Secure` attribute
+
+## Description
+
+The {cookie_name} cookie was transmitted in a `Set-Cookie` response without the `Secure` attribute set.
+To prevent sensitive cookie values being accidentally transmitted over clear-text HTTP we
+recommended that cookies are declared with the `Secure` attribute.
+
+## Remediation
+
+Most web application frameworks allow configuring how cookies are sent to user agents. Consult your framework's
+documentation for more information on how to enable various security attributes when assigning cookies to clients.
+
+If the application is assigning cookies via writing to the response headers directly, ensure all responses include
+the `Secure` attribute. By enabling this protection, the application will no longer send sensitive cookies over
+HTTP.
+
+Example:
+
+```http
+Set-Cookie: {cookie_name}=<random secure value>; Secure
+```
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 614.1 | false | 614 | Passive | Low |
+
+## Links
+
+- [owasp](https://owasp.org/www-community/controls/SecureCookieAttribute)
+- [cwe](https://cwe.mitre.org/data/definitions/614.html)
+- [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)
diff --git a/doc/user/application_security/dast/checks/693.1.md b/doc/user/application_security/dast/checks/693.1.md
new file mode 100644
index 00000000000..07cb368b39a
--- /dev/null
+++ b/doc/user/application_security/dast/checks/693.1.md
@@ -0,0 +1,36 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Missing X-Content-Type-Options: nosniff
+
+## Description
+
+The `X-Content-Type-Options` header with the value `nosniff` ensures that user agents do not attempt to
+guess the format of the data being received. User Agents such as browsers, commonly attempt to guess
+what the resource type being requested is, through a process called MIME type sniffing.
+
+Without this header being sent, the browser may misinterpret the data, leading to MIME confusion attacks.
+If an attacker were able to upload files that are accessible by using a browser, they could upload files
+that could be interpreted as HTML and execute Cross-Site Scripting (XSS) attacks.
+
+## Remediation
+
+We recommend that the header and value of `X-Content-Type-Options: nosniff` be set server wide.
+This ensures any resources that are mistakenly missing a `Content-Type` value are not
+misinterpreted.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 693.1 | true | 693 | Passive | Low |
+
+## Links
+
+- [owasp](https://owasp.org/www-project-secure-headers/#x-content-type-options)
+- [cwe](https://cwe.mitre.org/data/definitions/693.html)
+- [Mozilla Blog on MIME Confusion attacks](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/)
+- [Mozilla MDN on X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)
diff --git a/doc/user/application_security/dast/checks/index.md b/doc/user/application_security/dast/checks/index.md
new file mode 100644
index 00000000000..f1a68387eb1
--- /dev/null
+++ b/doc/user/application_security/dast/checks/index.md
@@ -0,0 +1,20 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# DAST browser-based crawler vulnerability checks **(ULTIMATE)**
+
+The [DAST browser-based crawler](../browser_based.md) provides a number of vulnerability checks that are used to scan for vulnerabilities in the site under test.
+
+| ID | Check | Severity | Type |
+|:---|:------|:---------|:-----|
+| [1004.1](1004.1.md) | Sensitive cookie without `HttpOnly` attribute | Low | Passive |
+| [16.1](16.1.md) | Missing Content-Type header | Low | Passive |
+| [16.2](16.2.md) | Server header exposes version information | Low | Passive |
+| [16.3](16.3.md) | X-Powered-By header exposes version information | Low | Passive |
+| [16.4](16.4.md) | X-Backend-Server header exposes server information | Info | Passive |
+| [16.5](16.5.md) | AspNet Header(s) exposes version information | Low | Passive |
+| [614.1](614.1.md) | Sensitive cookie without `Secure` attribute | Low | Passive |
+| [693.1](693.1.md) | Missing X-Content-Type-Options: nosniff | Low | Passive |