Finding messages (Remediations
) for Web Application Header findings:
- Access-Control-Allow-Origin Header
- Cache Control
- Content-Security-Policy
- Expires Header
- HTTP Downgrade
- HTTP Strict-Transport-Security (HSTS)
- Ineffective Header
- Invalid
- Location Header
- Missing Data
- Redirects
- Set-Cookie Header
- WWW-Authenticate Header
- X-Content-Type-Options
- X-Frame-Options
- X-XSS-Protection
Access-Control-Allow-Origin Header
“null” must be lowercase
A “null” setting must be lowercase.
Remediation: Use only lowercase letters for the “null” value.
Can only be used for first setting
A “*” or “null” can only be used for the first setting.
Remediation: Ensure the first values in the setting are either “*” or “null” (lowercase only).
Duplicate entries
There are duplicate entries.
Remediation: Remove duplicate entries and ensure the remaining values are formatted correctly.
Incompatible setting
This setting is incompatible with earlier settings in this header.
Remediation: Ensure your settings do not conflict with each other, as specified in W3C Access Control for CSR.
Cache Control
Cannot be negative
This directive must be set to a value greater than or equal to zero.
Remediation: When specifying max-age or any other number in your Cache-Control header, it must be an integer greater than or equal to 0.
Directive used multiple times
This directive can only be used once.
Remediation: Remove duplicate directives from your policy.
Insecure configuration
This cache-control configuration is insecure.
Remediation: To satisfy this requirement, there are two choices. The first choice is to use the directive "max-age=N" with Cache-Control where N is an integer greater than or equal to zero. The second choice is to set the Expires header. For example, you can set Expires to “0,” or if desired, set to a negative value to disable caching. See RFC-7234 (sections 5.2 and 5.3) for more info.
Must be a quoted string
This value must be a string contained within double quotes.
Remediation: Ensure the attribute begins and ends with double quotation marks (") and (") and does not contain smart typographer's quotes (“) and (”).
Must be an integer
The max-age value must be an integer.
Remediation: Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers.
Public and private directives
Public and private directives cannot be set simultaneously.
Remediation: Choose either the “public” or “private” value in your directive, but not both.
Satisfied by Expires header
Cache-Control is effectively implemented by the presence of the Expires header.
Value is missing
The cache-control value is missing.
Remediation: Implement Cache-Control correctly, according to RFC-7234.
Value not allowed
This cache-control value is not allowed for this directive.
Remediation: Use correct values. Please see RFC-7234 for a comprehensive overview of cache-control.
Content-Security-Policy
Unsafe Keywords and Sources
Content-Security-Policy (CSP) allows resources to be fetched from unsafe sources and can facilitate XSS by allowing code to be included directly in the document. See proper implementation.
“Unsafe-eval” is insecure
Unsafe-eval is vulnerable to XSS attacks.
Remediation: Remove the “unsafe-eval” keyword from your CSP.
“Unsafe-inline” is insecure
Unsafe-inline is vulnerable to XSS attacks.
Remediation: Remove the “unsafe-inline” keyword from your CSP.
Insecure redirect
This security policy allows a redirect that is not secure.
Remediation: Remove any use of unsafe-redirect in your CSP.
“Blob” source is insecure
The “blob” source may allow the loading of unsafe resources.
Remediation: Remove “blob:” from the source list in your CSP.
“Data” source is insecure
The “data” source may allow the loading of unsafe resources.
Remediation: Remove “data:” from the source list in your CSP.
“Filesystem” source is insecure
The “filesystem” source may allow the loading of unsafe resources.
Remediation: Remove “filesystem:” from the source list in your CSP.
Potentially insecure policy
This CSP has issues that possibly makes it insecure.
Remediation: Remove any instances of “unsafe-” directives and “blob, data, filesystem” sources. Ensure your CSP directives are correctly configured. Learn more at W3C CSP.
Unspecified or Invalid Sources
The policy fails to specify directive sources or incorporates a wildcarded source.
Asterisks in the source are insecure
This source allows potentially unsafe resources to be loaded from anywhere.
Remediation: Remove any instances of the asterisk character (*) that are by itself from your CSP.
Source is too broad
This source is too broad to properly prevent attacks.
Remediation: Use specific sources, such as https://www.example.com. Remove generalizations, such as http:, https:, https://*.com. Make sure the source is not in Mozilla's Public Suffix list; sources from this list will cause this error.
Conflicting source expressions
The “none” source expression, which represents a lack of URLs, is listed along with other URLs.
Remediation: Choose either “none” or specify source URLs, but do not use both in your CSP.
Default-src inherited
This directive was not explicitly specified, so the default-src will be used instead.
Remediation: Set specific policies for your directives. Otherwise, the default-src directive will be used instead.
Invalid host source
The host source is invalid or improperly formatted.
Remediation: Ensure your host source is properly formatted in your CSP. Learn more at W3C CSP.
Invalid source expression
This source can not be included in a CSP.
Remediation: Use only valid source expressions in your CSP. Learn more at W3C CSP.
Missing default-src
The default-src directive is not set.
Remediation: Use the default-src directive in your CSP, as specified in W3C CSP.
Missing source list
There is no source list in this CSP.
Remediation: Add components to the source list for your CSP. Learn more at W3C CSP.
Invalid Directives
The policy contains directives that are invalid or circumvent other directives. The policy is likely not operating as intended.
Directive is not allowed
This is not a valid directive for this HTTP header.
Remediation: Ensure your directives use approved expressions and they do not contain spelling errors.
Directive used multiple times
This directive can only be used once.
Remediation: Remove duplicate directives from your policy.
Empty policy
This security policy has no sources, rendering it ineffective.
Remediation: Make sure that your source-list is not empty and refers to complete URLs or IP addresses, as described in Policy Delivery: Content-Security-Policy Header Field (section 3.1).
Header overwritten
Another header has overwritten this CSP, rendering it invalid.
Remediation: Check your CSP headers and ensure that your headers do not conflict with each other.
Header set more than once
This header cannot be set more than once.
Remediation: Remove duplicate headers and duplicate header definitions from your HTTP headers.
Expires Header
Expires date is invalid
The Expires date is invalid or improperly formatted.
Ensure the field contains a valid date in the format specified by RFC-7231. For example, “Sun, 06 Nov 1994 08:49:37 GMT.”
Expires date is too far in the future
The Expires date should not be more than a year in the future.
Change the date to be no more than one year ahead of the current day.
HTTP Downgrade
Links are evaluated to determine if any link results in a downgrade of the recipient, from an HTTPS connection to an HTTP connection.
HTTPS to HTTP link (intra-domain)
HTTPS webpage with internal HTTP link to same domain.
Remediation: Avoid using HTTP links on HTTPS webpages.
HTTPS to HTTP link (intra-site)
HTTPS webpage with internal HTTP link to same site.
Remediation: Avoid using HTTP links on HTTPS webpages.
HTTP Strict-Transport-Security (HSTS)
Directive used multiple times
This directive can only be used once.
Remediation: Remove duplicate directives from your policy.
“includeSubDomains” is misspelled
The “includeSubDomains” phrase is misspelled.
Remediation: Ensure the capitalization for “includeSubDomains” is exact.
Invalid max-age
This field is not an integer, is too long, or contains a syntax error.
Remediation: The Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers.
Max-age is not set
Max-age is a required directive used to help prevent man-in-the-middle (MITM) attacks.
Remediation: Use the max-age directive in your HTTP Strict-Transport-Security header, as specified in RFC-6797 (section 6.1.1). Ensure it contains only a positive number. To avoid the “max-age is too small” warning, set the max-age to at least 86400.
Max-age is too small
The Max-age should be set to at least 86400.
Remediation: Change the max-age directive in your HTTP Strict-Transport-Security header to be greater than or equal to 86400.
“Preload” is misspelled
The word “preload” is misspelled.
Remediation: Ensure “preload” is spelled correctly.
Ineffective Header
Ineffective headers: {{1}}
The implementation of these header(s) do not follow security best practices.
Remediation: Ensure your headers are implemented correctly, as outlined in RFC-7231. Your headers should not permit caching of encrypted content. They should also have specific permissions (as opposed to using wildcards or other generalizations) and be formatted properly.
Optional headers ineffective: [HTML_REMOVED]
The following number of headers are formatted in a way that makes them ineffective.
Remediation: Format your headers correctly, as outlined in RFC-7230 (section 3.2).
Required headers ineffective: [HTML_REMOVED]
The following number of headers are formatted in a way that makes them ineffective.
Remediation: Format your headers correctly, as outlined in RFC-7230 (section 3.2).
Invalid
Invalid character
This response contains invalid characters.
Remediation: Responses may only include any ASCII character, except control characters, and allowed separator characters, as specified in RFC-2616 (section 4.2).
Invalid URL
The URL specified by this directive is not valid.
Remediation: Ensure the URL is correctly formatted and is a valid and existing URL.
Must be a valid integer
This value must be a valid integer between -2^31 and 2^31 -1.
Remediation: Ensure the value is a valid integer and does not contain any other characters, aside from numbers.
Value not allowed
No value is allowed for this directive.
Remediation: Do not include a value along with this directive; it is directive-only.
Location Header
HTTPS redirect to HTTP
HTTPS URI is redirecting to HTTP URI.
Remediation: Avoid downgrading user connections from secure to insecure. Learn why…
Missing Data
Header is missing
This required header was not found.
Remediation: Ensure your policy correctly implements the required headers. See required headers.
Missing directive
A required directive cannot be found.
Remediation: Ensure your policy correctly implements the required headers. See required headers.
Missing required headers
One or more required security headers are not set.
Remediation: Ensure your policy correctly implements the required headers. required headers.
Missing URL
There is no URL specified by this directive.
Remediation: Include a valid and existing URL. Ensure it is correctly formatted.
No security headers are set
None of the security headers are set.
Remediation: Set your security headers. Refer to the required headers.
No value set
A value is expected for this directive, but none are set.
Remediation: Ensure that you have set a value for this directive.
Required headers not set: [HTML_REMOVED]
The following number of required headers are not set.
Remediation: Ensure your policy correctly implements the required headers.
Redirects
Sites with a confirmed immediate redirect (using a redirect code 301, 302, 307) are graded as NEUTRAL. Resources are evaluated to check if any external dependency is used through HTTP (non-HTTPS) that might leave the application users at risk.
HTTP external resource on HTTPS
HTTPS webpage with an external HTTP resource.
Remediation: Avoid using HTTP external resources on HTTPS webpages.
Redirect
The page redirected to a different hostname or IP using a 301, 302, or 307 status code.
Set-Cookie Header
HTTP headings are not graded unless the Set-cookie header is set. See proper implementation.
Empty cookie value
The cookie value is empty.
Remediation: The “cookie-value” field cannot be empty. Ensure it is a valid cookie ID, enclosed in double quotes, and contains only valid ASCII characters.
Invalid character
There is an invalid character in the cookie value.
Remediation: Make sure that in your Set-Cookie header, the cookie-value attribute contains only US-ASCII characters (excluding CTLs), whitespace, commas, semicolons, and backslashes. See Set-Cookie syntax.
Invalid cookie pair
The cookie name-value pair is invalid.
Remediation: Ensure the cookie-name, cookie-value, and cookie-pair attributes are used correctly and have correct values in your Set-Cookie header. See Set-Cookie syntax for additional details.
Invalid domain
This field does not contain a valid domain.
Remediation: Ensure the domain-value attribute in your Set-Cookie header has a value that refers to an existing domain, is spelled correctly, and if it is an IP address, that it is complete.
Invalid expires value
The Expires date is invalid or is improperly formatted.
Remediation: Ensure the field contains a valid date in the format specified by RFC-7231. For example, “Sun, 06 Nov 1994 08:49:37 GMT.”
Invalid max-age
This field is not an integer, is too long, or contains a syntax error.
Remediation: The Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers.
Invalid path
The path setting does not contain a valid path.
Remediation: Ensure the path-av attribute has a value that refers to an actual and existing forward path (yourdomain.com/path).
No cookie pair
No cookie pair found.
Remediation: Ensure the “cookie pair” attribute in your Set-Cookie header exists and is used in the following manner: cookie-pair = cookie-name "=" cookie-value. See Set-Cookie syntax for additional details.
No Set-Cookie
For HTTP connections, no headers are graded unless Set-Cookie is defined.
Remediation: Please review all header requirements.
No Set-Cookie found
For HTTP connections, no headers are graded unless Set-Cookie is defined.
As of August 22, 2023, no new findings are associated with this message. Refer to
No Set-Cookie
for up-to-date messages.Remediation: Please review all header requirements. Define your set-cookie header to be graded as “GOOD” and enable grading for all other headers.
Repeated ID
Two or more cookies are using the same ID.
Remediation: Ensure the first “name = value;” pair in your Set-Cookie header is not using a duplicated setting.
Secure is not set
The secure directive is not set.
Remediation: Ensure the secure value in your Set-Cookie header is being used in your directive.
WWW-Authenticate Header
Authentication over HTTP
Requiring authentication over HTTP.
Remediation: Only use auth forms on HTTPS resources.
X-Content-Type-Options
Must be “nosniff”
The first field should contain a “nosniff” value.
Remediation: Set the value for X-Content-Type-Options to be “nosniff.”
X-Frame-Options
Too many directives
Browsers only support one X-Frame-Options header and one value within that header.
Remediation: Ensure the X-Frame-Options header contains either only the DENY or the SAMEORIGIN option.
X-XSS-Protection
Incompatible setting
This setting is incompatible with earlier settings in this header.
Remediation: Ensure that your settings do not conflict with each other, as specified in W3C Access Control for CSR.
Must be “block”
The mode must be set to “block,” as it is the only accepted value.
Remediation: If X-XSS-Protection is enabled, the mode must be set to “block” and cannot be set to anything else.
Must be 0 or 1
The first directive must be either “0 or “1,” as these are the only values that enable or disable the header.
Remediation: The first directive in the X-XSS-Protection header must be 0 or 1, cannot be any other number or contain text.
Report must be last
The Report directive must come last, otherwise a client might ignore this value.
Remediation: Ensure your X-XSS-Protection header directives are ordered correctly and that “Report” is the last directive.
- August 29, 2024: Linked to proper implementation resources.
- September 12, 2023: Published.
Feedback
0 comments
Please sign in to leave a comment.