Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Web Application Header Finding Messages

Ingrid

Finding messages (Remediations) for Web Application Header findings:

Access-Control-Allow-Origin Header

See proper implementation.

“null” must be lowercase

A “null” setting must be lowercase.

Remediation: Use only lowercase letters for the “null” value.

Can only be used for first setting

A “*” or “null” can only be used for the first setting.

Remediation: Ensure the first values in the setting are either “*” or “null” (lowercase only).

Duplicate entries

There are duplicate entries.

Remediation: Remove duplicate entries and ensure the remaining values are formatted correctly.

Incompatible setting

This setting is incompatible with earlier settings in this header.

Remediation: Ensure your settings do not conflict with each other, as specified in W3C Access Control for CSR.

Cache Control

See proper implementation.

Cannot be negative

This directive must be set to a value greater than or equal to zero.

Remediation: When specifying max-age or any other number in your Cache-Control header, it must be an integer greater than or equal to 0.

Directive used multiple times

This directive can only be used once.

Remediation: Remove duplicate directives from your policy.

Insecure configuration

This cache-control configuration is insecure.

Remediation: To satisfy this requirement, there are two choices. The first choice is to use the directive "max-age=N" with Cache-Control where N is an integer greater than or equal to zero. The second choice is to set the Expires header. For example, you can set Expires to “0,” or if desired, set to a negative value to disable caching. See RFC-7234 (sections 5.2 and 5.3) for more info.

Must be a quoted string

This value must be a string contained within double quotes.

Remediation: Ensure the attribute begins and ends with double quotation marks (") and (") and does not contain smart typographer's quotes (“) and (”).

Must be an integer

The max-age value must be an integer.

Remediation: Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers.

Public and private directives

Public and private directives cannot be set simultaneously.

Remediation: Choose either the “public” or “private” value in your directive, but not both.

Satisfied by Expires header

Cache-Control is effectively implemented by the presence of the Expires header.

Value is missing

The cache-control value is missing.

Remediation: Implement Cache-Control correctly, according to RFC-7234.

Value not allowed

This cache-control value is not allowed for this directive.

Remediation: Use correct values. Please see RFC-7234 for a comprehensive overview of cache-control.

Content-Security-Policy

Unsafe Keywords and Sources

Content-Security-Policy (CSP) allows resources to be fetched from unsafe sources and can facilitate XSS by allowing code to be included directly in the document. See proper implementation.

“Unsafe-eval” is insecure

Unsafe-eval is vulnerable to XSS attacks.

Remediation: Remove the “unsafe-eval” keyword from your CSP.

“Unsafe-inline” is insecure

Unsafe-inline is vulnerable to XSS attacks.

Remediation: Remove the “unsafe-inline” keyword from your CSP.

Insecure redirect

This security policy allows a redirect that is not secure.

Remediation: Remove any use of unsafe-redirect in your CSP.

“Blob” source is insecure

The “blob” source may allow the loading of unsafe resources.

Remediation: Remove “blob:” from the source list in your CSP.

“Data” source is insecure

The “data” source may allow the loading of unsafe resources.

Remediation: Remove “data:” from the source list in your CSP.

“Filesystem” source is insecure

The “filesystem” source may allow the loading of unsafe resources.

Remediation: Remove “filesystem:” from the source list in your CSP.

Potentially insecure policy

This CSP has issues that possibly makes it insecure.

Remediation: Remove any instances of “unsafe-” directives and “blob, data, filesystem” sources. Ensure your CSP directives are correctly configured. Learn more at W3C CSP.

Unspecified or Invalid Sources

The policy fails to specify directive sources or incorporates a wildcarded source.

Asterisks in the source are insecure

This source allows potentially unsafe resources to be loaded from anywhere.

Remediation: Remove any instances of the asterisk character (*) that are by itself from your CSP.

Source is too broad

This source is too broad to properly prevent attacks.

Remediation: Use specific sources, such as https://www.example.com. Remove generalizations, such as http:, https:, https://*.com. Make sure the source is not in Mozilla's Public Suffix list; sources from this list will cause this error.

Conflicting source expressions

The “none” source expression, which represents a lack of URLs, is listed along with other URLs.

Remediation: Choose either “none” or specify source URLs, but do not use both in your CSP.

Default-src inherited

This directive was not explicitly specified, so the default-src will be used instead.

Remediation: Set specific policies for your directives. Otherwise, the default-src directive will be used instead.

Invalid host source

The host source is invalid or improperly formatted.

Remediation: Ensure your host source is properly formatted in your CSP. Learn more at W3C CSP.

Invalid source expression

This source can not be included in a CSP.

Remediation: Use only valid source expressions in your CSP. Learn more at W3C CSP.

Missing default-src

The default-src directive is not set.

Remediation: Use the default-src directive in your CSP, as specified in W3C CSP.

Missing source list

There is no source list in this CSP.

Remediation: Add components to the source list for your CSP. Learn more at W3C CSP.

Invalid Directives

The policy contains directives that are invalid or circumvent other directives. The policy is likely not operating as intended.

Directive is not allowed

This is not a valid directive for this HTTP header.

Remediation: Ensure your directives use approved expressions and they do not contain spelling errors.

Directive used multiple times

This directive can only be used once.

Remediation: Remove duplicate directives from your policy.

Empty policy

This security policy has no sources, rendering it ineffective.

Remediation: Make sure that your source-list is not empty and refers to complete URLs or IP addresses, as described in Policy Delivery: Content-Security-Policy Header Field (section 3.1).

Header overwritten

Another header has overwritten this CSP, rendering it invalid.

Remediation: Check your CSP headers and ensure that your headers do not conflict with each other.

Header set more than once

This header cannot be set more than once.

Remediation: Remove duplicate headers and duplicate header definitions from your HTTP headers.

Expires Header

See proper implementation.

Expires date is invalid

The Expires date is invalid or improperly formatted.

Ensure the field contains a valid date in the format specified by RFC-7231. For example, “Sun, 06 Nov 1994 08:49:37 GMT.”

Expires date is too far in the future

The Expires date should not be more than a year in the future.

Change the date to be no more than one year ahead of the current day.

HTTP Downgrade

Links are evaluated to determine if any link results in a downgrade of the recipient, from an HTTPS connection to an HTTP connection.

HTTPS to HTTP link (intra-domain)

HTTPS webpage with internal HTTP link to same domain.

Remediation: Avoid using HTTP links on HTTPS webpages.

HTTPS to HTTP link (intra-site)

HTTPS webpage with internal HTTP link to same site.

Remediation: Avoid using HTTP links on HTTPS webpages.

HTTP Strict-Transport-Security (HSTS)

See proper implementation.

Directive used multiple times

This directive can only be used once.

Remediation: Remove duplicate directives from your policy.

“includeSubDomains” is misspelled

The “includeSubDomains” phrase is misspelled.

Remediation: Ensure the capitalization for “includeSubDomains” is exact.

Invalid max-age

This field is not an integer, is too long, or contains a syntax error.

Remediation: The Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers.

Max-age is not set

Max-age is a required directive used to help prevent man-in-the-middle (MITM) attacks.

Remediation: Use the max-age directive in your HTTP Strict-Transport-Security header, as specified in RFC-6797 (section 6.1.1). Ensure it contains only a positive number. To avoid the “max-age is too small” warning, set the max-age to at least 86400.

Max-age is too small

The Max-age should be set to at least 86400.

Remediation: Change the max-age directive in your HTTP Strict-Transport-Security header to be greater than or equal to 86400.

“Preload” is misspelled

The word “preload” is misspelled.

Remediation: Ensure “preload” is spelled correctly.

Ineffective Header

Ineffective headers: {{1}}

The implementation of these header(s) do not follow security best practices.

Remediation: Ensure your headers are implemented correctly, as outlined in RFC-7231. Your headers should not permit caching of encrypted content. They should also have specific permissions (as opposed to using wildcards or other generalizations) and be formatted properly.

Optional headers ineffective: [HTML_REMOVED]

The following number of headers are formatted in a way that makes them ineffective.

Remediation: Format your headers correctly, as outlined in RFC-7230 (section 3.2).

Required headers ineffective: [HTML_REMOVED]

The following number of headers are formatted in a way that makes them ineffective.

Remediation: Format your headers correctly, as outlined in RFC-7230 (section 3.2).

Invalid

Invalid character

This response contains invalid characters.

Remediation: Responses may only include any ASCII character, except control characters, and allowed separator characters, as specified in RFC-2616 (section 4.2).

Invalid URL

The URL specified by this directive is not valid.

Remediation: Ensure the URL is correctly formatted and is a valid and existing URL.

Must be a valid integer

This value must be a valid integer between -2^31 and 2^31 -1.

Remediation: Ensure the value is a valid integer and does not contain any other characters, aside from numbers.

Value not allowed

No value is allowed for this directive.

Remediation: Do not include a value along with this directive; it is directive-only.

Location Header

See proper implementation.

HTTPS redirect to HTTP

HTTPS URI is redirecting to HTTP URI.

Remediation: Avoid downgrading user connections from secure to insecure. Learn why

Missing Data

Header is missing

This required header was not found.

Remediation: Ensure your policy correctly implements the required headers. See required headers.

Missing directive

A required directive cannot be found.

Remediation: Ensure your policy correctly implements the required headers. See required headers.

Missing required headers

One or more required security headers are not set.

Remediation: Ensure your policy correctly implements the required headers. required headers.

Missing URL

There is no URL specified by this directive.

Remediation: Include a valid and existing URL. Ensure it is correctly formatted.

No security headers are set

None of the security headers are set.

Remediation: Set your security headers. Refer to the required headers.

No value set

A value is expected for this directive, but none are set.

Remediation: Ensure that you have set a value for this directive.

Required headers not set: [HTML_REMOVED]

The following number of required headers are not set.

Remediation: Ensure your policy correctly implements the required headers.

Redirects

Sites with a confirmed immediate redirect (using a redirect code 301, 302, 307) are graded as NEUTRAL. Resources are evaluated to check if any external dependency is used through HTTP (non-HTTPS) that might leave the application users at risk.

HTTP external resource on HTTPS

HTTPS webpage with an external HTTP resource.

Remediation: Avoid using HTTP external resources on HTTPS webpages.

Redirect

The page redirected to a different hostname or IP using a 301, 302, or 307 status code.

HTTP headings are not graded unless the Set-cookie header is set. See proper implementation.

Empty cookie value

The cookie value is empty.

Remediation: The “cookie-value” field cannot be empty. Ensure it is a valid cookie ID, enclosed in double quotes, and contains only valid ASCII characters.

Invalid character

There is an invalid character in the cookie value.

Remediation: Make sure that in your Set-Cookie header, the cookie-value attribute contains only US-ASCII characters (excluding CTLs), whitespace, commas, semicolons, and backslashes. See Set-Cookie syntax.

Invalid cookie pair

The cookie name-value pair is invalid.

Remediation: Ensure the cookie-name, cookie-value, and cookie-pair attributes are used correctly and have correct values in your Set-Cookie header. See Set-Cookie syntax for additional details.

Invalid domain

This field does not contain a valid domain.

Remediation: Ensure the domain-value attribute in your Set-Cookie header has a value that refers to an existing domain, is spelled correctly, and if it is an IP address, that it is complete.

Invalid expires value

The Expires date is invalid or is improperly formatted.

Remediation: Ensure the field contains a valid date in the format specified by RFC-7231. For example, “Sun, 06 Nov 1994 08:49:37 GMT.”

Invalid max-age

This field is not an integer, is too long, or contains a syntax error.

Remediation: The Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers.

Invalid path

The path setting does not contain a valid path.

Remediation: Ensure the path-av attribute has a value that refers to an actual and existing forward path (yourdomain.com/path).

No cookie pair

No cookie pair found.

Remediation: Ensure the “cookie pair” attribute in your Set-Cookie header exists and is used in the following manner: cookie-pair = cookie-name "=" cookie-value. See Set-Cookie syntax for additional details.

No Set-Cookie

For HTTP connections, no headers are graded unless Set-Cookie is defined.

Remediation: Please review all header requirements.

No Set-Cookie found

For HTTP connections, no headers are graded unless Set-Cookie is defined.

As of August 22, 2023, no new findings are associated with this message. Refer to No Set-Cookie for up-to-date messages.

Remediation: Please review all header requirements. Define your set-cookie header to be graded as “GOOD” and enable grading for all other headers.

Repeated ID

Two or more cookies are using the same ID.

Remediation: Ensure the first “name = value;” pair in your Set-Cookie header is not using a duplicated setting.

Secure is not set

The secure directive is not set.

Remediation: Ensure the secure value in your Set-Cookie header is being used in your directive.

WWW-Authenticate Header

See proper implementation.

Authentication over HTTP

Requiring authentication over HTTP.

Remediation: Only use auth forms on HTTPS resources.

X-Content-Type-Options

See proper implementation.

Must be “nosniff”

The first field should contain a “nosniff” value.

Remediation: Set the value for X-Content-Type-Options to be “nosniff.”

X-Frame-Options

See proper implementation.

Too many directives

Browsers only support one X-Frame-Options header and one value within that header.

Remediation: Ensure the X-Frame-Options header contains either only the DENY or the SAMEORIGIN option.

X-XSS-Protection

See proper implementation.

Incompatible setting

This setting is incompatible with earlier settings in this header.

Remediation: Ensure that your settings do not conflict with each other, as specified in W3C Access Control for CSR.

Must be “block”

The mode must be set to “block,” as it is the only accepted value.

Remediation: If X-XSS-Protection is enabled, the mode must be set to “block” and cannot be set to anything else.

Must be 0 or 1

The first directive must be either “0 or “1,” as these are the only values that enable or disable the header.

Remediation: The first directive in the X-XSS-Protection header must be 0 or 1, cannot be any other number or contain text.

Report must be last

The Report directive must come last, otherwise a client might ignore this value.

Remediation: Ensure your X-XSS-Protection header directives are ordered correctly and that “Report” is the last directive.

  • August 29, 2024: Linked to proper implementation resources.
  • September 12, 2023: Published.

Related articles

Feedback

0 comments

Please sign in to leave a comment.