From c66b106278d57532aec4e7aff6b185d95199481e Mon Sep 17 00:00:00 2001
From: Alejandro Garcia <ale.garciadelrio@gmail.com>
Date: Tue, 23 Jun 2026 17:43:10 -0300
Subject: [PATCH] fix: update OWASP data source to use raw GitHub URL (issue
 #275)

---
 src/owasp.js            |  2 +-
 test/unit/owasp.spec.js | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/owasp.js b/src/owasp.js
index e4d4840..9012223 100644
--- a/src/owasp.js
+++ b/src/owasp.js
@@ -95,7 +95,7 @@ class OWASP {
     const headerJSON = await new Promise((resolve, reject) => {
       const req = https
         .get(
-          "https://owasp.org/www-project-secure-headers/ci/headers_add.json",
+          "https://raw.githubusercontent.com/OWASP/www-project-secure-headers/refs/heads/master/ci/headers_add.json",
           (res) => {
             let data = [];
 
diff --git a/test/unit/owasp.spec.js b/test/unit/owasp.spec.js
index 6f550b1..a7e73e7 100644
--- a/test/unit/owasp.spec.js
+++ b/test/unit/owasp.spec.js
@@ -11,8 +11,8 @@ const newOWASPJSON = require("../json/newOWASP.json");
 describe(`owasp`, function () {
   describe(`getLatest`, function () {
     it(`populates the defaults from the included OWASP release when the online version can not be reached`, async function () {
-      nock("https://owasp.org")
-        .get("/www-project-secure-headers/ci/headers_add.json")
+      nock("https://raw.githubusercontent.com")
+        .get("/OWASP/www-project-secure-headers/refs/heads/master/ci/headers_add.json")
         .reply(404, {});
 
       await owasp.getLatest().catch((err) => {
@@ -33,8 +33,8 @@ describe(`owasp`, function () {
     });
 
     it(`populates the defaults with information from a new OWASP release`, async function () {
-      nock("https://owasp.org")
-        .get("/www-project-secure-headers/ci/headers_add.json")
+      nock("https://raw.githubusercontent.com")
+        .get("/OWASP/www-project-secure-headers/refs/heads/master/ci/headers_add.json")
         .reply(200, newOWASPJSON);
 
       await owasp.getLatest().catch((err) => {
@@ -59,8 +59,8 @@ describe(`owasp`, function () {
       const newOWASPJSONAdded = structuredClone(newOWASPJSON);
       newOWASPJSONAdded.headers.push({ name: "x-added", value: "true" });
 
-      nock("https://owasp.org")
-        .get("/www-project-secure-headers/ci/headers_add.json")
+      nock("https://raw.githubusercontent.com")
+        .get("/OWASP/www-project-secure-headers/refs/heads/master/ci/headers_add.json")
         .reply(200, newOWASPJSONAdded);
 
       await owasp.getLatest().catch((err) => {