Web Application Header Finding Messages Ingrid The Web Application Headers (WAH) risk vector was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.Finding messages (Remediations) for Web Application Header findings: Access-Control-Allow-Origin Header Cache Control Content-Security-Policy Expires Header HTTP Downgrade HTTP Strict-Transport-Security (HSTS) Ineffective Header Invalid Location Header Missing Data Redirects Set-Cookie Header WWW-Authenticate Header X-Content-Type-Options X-Frame-Options X-XSS-Protection Access-Control-Allow-Origin Header “null” must be lowercase A “null” setting must be lowercase. Remediation: Use only lowercase letters for the “null” value. Can only be used for first setting A “*” or “null” can only be used for the first setting. Remediation: Ensure the first values in the setting are either “*” or “null” (lowercase only). Duplicate entries There are duplicate entries. Remediation: Remove duplicate entries and ensure the remaining values are formatted correctly. Incompatible setting This setting is incompatible with earlier settings in this header. Remediation: Ensure your settings do not conflict with each other, as specified in W3C Access Control for CSR. Cache Control Cannot be negative This directive must be set to a value greater than or equal to zero. Remediation: When specifying max-age or any other number in your Cache-Control header, it must be an integer greater than or equal to 0. Directive used multiple times This directive can only be used once. Remediation: Remove duplicate directives from your policy. Insecure configuration This cache-control configuration is insecure. Remediation: To satisfy this requirement, there are two choices. The first choice is to use the directive "max-age=N" with Cache-Control where N is an integer greater than or equal to zero. The second choice is to set the Expires header. For example, you can set Expires to “0,” or if desired, set to a negative value to disable caching. See RFC-7234 (sections 5.2 and 5.3) for more info. Must be a quoted string This value must be a string contained within double quotes. Remediation: Ensure the attribute begins and ends with double quotation marks (") and (") and does not contain smart typographer's quotes (“) and (”). Must be an integer The max-age value must be an integer. Remediation: Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers. Public and private directives Public and private directives cannot be set simultaneously. Remediation: Choose either the “public” or “private” value in your directive, but not both. Satisfied by Expires header Cache-Control is effectively implemented by the presence of the Expires header. Value is missing The cache-control value is missing. Remediation: Implement Cache-Control correctly, according to RFC-7234. Value not allowed This cache-control value is not allowed for this directive. Remediation: Use correct values. Please see RFC-7234 for a comprehensive overview of cache-control. Content-Security-PolicyUnsafe Keywords and SourcesContent-Security-Policy (CSP) allows resources to be fetched from unsafe sources and can facilitate XSS by allowing code to be included directly in the document. “Unsafe-eval” is insecure Unsafe-eval is vulnerable to XSS attacks. Remediation: Remove the “unsafe-eval” keyword from your CSP. “Unsafe-inline” is insecure Unsafe-inline is vulnerable to XSS attacks. Remediation: Remove the “unsafe-inline” keyword from your CSP. Insecure redirect This security policy allows a redirect that is not secure. Remediation: Remove any use of unsafe-redirect in your CSP. “Blob” source is insecure The “blob” source may allow the loading of unsafe resources. Remediation: Remove “blob:” from the source list in your CSP. “Data” source is insecure The “data” source may allow the loading of unsafe resources. Remediation: Remove “data:” from the source list in your CSP. “Filesystem” source is insecure The “filesystem” source may allow the loading of unsafe resources. Remediation: Remove “filesystem:” from the source list in your CSP. Potentially insecure policy This CSP has issues that possibly makes it insecure. Remediation: Remove any instances of “unsafe-” directives and “blob, data, filesystem” sources. Ensure your CSP directives are correctly configured. Learn more at W3C CSP. Unspecified or Invalid SourcesThe policy fails to specify directive sources or incorporates a wildcarded source. Asterisks in the source are insecure This source allows potentially unsafe resources to be loaded from anywhere. Remediation: Remove any instances of the asterisk character (*) that are by itself from your CSP. Source is too broad This source is too broad to properly prevent attacks. Remediation: Use specific sources, such as https://www.example.com. Remove generalizations, such as http:, https:, https://*.com. Make sure the source is not in Mozilla's Public Suffix list; sources from this list will cause this error. Conflicting source expressions The “none” source expression, which represents a lack of URLs, is listed along with other URLs. Remediation: Choose either “none” or specify source URLs, but do not use both in your CSP. Default-src inherited This directive was not explicitly specified, so the default-src will be used instead. Remediation: Set specific policies for your directives. Otherwise, the default-src directive will be used instead. Invalid host source The host source is invalid or improperly formatted. Remediation: Ensure your host source is properly formatted in your CSP. Learn more at W3C CSP. Invalid source expression This source can not be included in a CSP. Remediation: Use only valid source expressions in your CSP. Learn more at W3C CSP. Missing default-src The default-src directive is not set. Remediation: Use the default-src directive in your CSP, as specified in W3C CSP. Missing source list There is no source list in this CSP. Remediation: Add components to the source list for your CSP. Learn more at W3C CSP. Invalid DirectivesThe policy contains directives that are invalid or circumvent other directives. The policy is likely not operating as intended. Directive is not allowed This is not a valid directive for this HTTP header. Remediation: Ensure your directives use approved expressions and they do not contain spelling errors. Directive used multiple times This directive can only be used once. Remediation: Remove duplicate directives from your policy. Empty policy This security policy has no sources, rendering it ineffective. Remediation: Make sure that your source-list is not empty and refers to complete URLs or IP addresses, as described in Policy Delivery: Content-Security-Policy Header Field (section 3.1). Header overwritten Another header has overwritten this CSP, rendering it invalid. Remediation: Check your CSP headers and ensure that your headers do not conflict with each other. Header set more than once This header cannot be set more than once. Remediation: Remove duplicate headers and duplicate header definitions from your HTTP headers. Expires Header Expires date is invalid The Expires date is invalid or improperly formatted. Ensure the field contains a valid date in the format specified by RFC-7231. For example, “Sun, 06 Nov 1994 08:49:37 GMT.” Expires date is too far in the future The Expires date should not be more than a year in the future. Change the date to be no more than one year ahead of the current day. HTTP DowngradeLinks are evaluated to determine if any link results in a downgrade of the recipient, from an HTTPS connection to an HTTP connection. HTTPS to HTTP link (intra-domain) HTTPS webpage with internal HTTP link to same domain. Remediation: Avoid using HTTP links on HTTPS webpages. HTTPS to HTTP link (intra-site) HTTPS webpage with internal HTTP link to same site. Remediation: Avoid using HTTP links on HTTPS webpages. HTTP Strict-Transport-Security (HSTS) Directive used multiple times This directive can only be used once. Remediation: Remove duplicate directives from your policy. “includeSubDomains” is misspelled The “includeSubDomains” phrase is misspelled. Remediation: Ensure the capitalization for “includeSubDomains” is exact. Invalid max-age This field is not an integer, is too long, or contains a syntax error. Remediation: The Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers. Max-age is not set Max-age is a required directive used to help prevent man-in-the-middle (MITM) attacks. Remediation: Use the max-age directive in your HTTP Strict-Transport-Security header, as specified in RFC-6797 (section 6.1.1). Ensure it contains only a positive number. To avoid the “max-age is too small” warning, set the max-age to at least 86400. Max-age is too small The Max-age should be set to at least 86400. Remediation: Change the max-age directive in your HTTP Strict-Transport-Security header to be greater than or equal to 86400. “Preload” is misspelled The word “preload” is misspelled. Remediation: Ensure “preload” is spelled correctly. Ineffective Header Ineffective headers: {{1}} The implementation of these header(s) do not follow security best practices. Remediation: Ensure your headers are implemented correctly, as outlined in RFC-7231. Your headers should not permit caching of encrypted content. They should also have specific permissions (as opposed to using wildcards or other generalizations) and be formatted properly. Optional headers ineffective: [HTML_REMOVED] The following number of headers are formatted in a way that makes them ineffective. Remediation: Format your headers correctly, as outlined in RFC-7230 (section 3.2). Required headers ineffective: [HTML_REMOVED] The following number of headers are formatted in a way that makes them ineffective. Remediation: Format your headers correctly, as outlined in RFC-7230 (section 3.2). Invalid Invalid character This response contains invalid characters. Remediation: Responses may only include any ASCII character, except control characters, and allowed separator characters, as specified in RFC-2616 (section 4.2). Invalid URL The URL specified by this directive is not valid. Remediation: Ensure the URL is correctly formatted and is a valid and existing URL. Must be a valid integer This value must be a valid integer between -2^31 and 2^31 -1. Remediation: Ensure the value is a valid integer and does not contain any other characters, aside from numbers. Value not allowed No value is allowed for this directive. Remediation: Do not include a value along with this directive; it is directive-only. Location HeaderSee proper implementation. HTTPS redirect to HTTP HTTPS URI is redirecting to HTTP URI. Remediation: Avoid downgrading user connections from secure to insecure. Learn why… Missing Data Header is missing This required header was not found. Remediation: Ensure your policy correctly implements the required headers. See required headers. Missing directive A required directive cannot be found. Remediation: Ensure your policy correctly implements the required headers. See required headers. Missing required headers One or more required security headers are not set. Remediation: Ensure your policy correctly implements the required headers. required headers. Missing URL There is no URL specified by this directive. Remediation: Include a valid and existing URL. Ensure it is correctly formatted. No security headers are set None of the security headers are set. Remediation: Set your security headers. Refer to the required headers. No value set A value is expected for this directive, but none are set. Remediation: Ensure that you have set a value for this directive. Required headers not set: [HTML_REMOVED] The following number of required headers are not set. Remediation: Ensure your policy correctly implements the required headers. RedirectsSites with a confirmed immediate redirect (using a redirect code 301, 302, 307) are graded as NEUTRAL. Resources are evaluated to check if any external dependency is used through HTTP (non-HTTPS) that might leave the application users at risk. HTTP external resource on HTTPS HTTPS webpage with an external HTTP resource. Remediation: Avoid using HTTP external resources on HTTPS webpages. Redirect The page redirected to a different hostname or IP using a 301, 302, or 307 status code. Set-Cookie HeaderHTTP headings are not graded unless the Set-cookie header is set. Empty cookie value The cookie value is empty. Remediation: The “cookie-value” field cannot be empty. Ensure it is a valid cookie ID, enclosed in double quotes, and contains only valid ASCII characters. Invalid character There is an invalid character in the cookie value. Remediation: Make sure that in your Set-Cookie header, the cookie-value attribute contains only US-ASCII characters (excluding CTLs), whitespace, commas, semicolons, and backslashes. See Set-Cookie syntax. Invalid cookie pair The cookie name-value pair is invalid. Remediation: Ensure the cookie-name, cookie-value, and cookie-pair attributes are used correctly and have correct values in your Set-Cookie header. See Set-Cookie syntax for additional details. Invalid domain This field does not contain a valid domain. Remediation: Ensure the domain-value attribute in your Set-Cookie header has a value that refers to an existing domain, is spelled correctly, and if it is an IP address, that it is complete. Invalid expires value The Expires date is invalid or is improperly formatted. Remediation: Ensure the field contains a valid date in the format specified by RFC-7231. For example, “Sun, 06 Nov 1994 08:49:37 GMT.” Invalid max-age This field is not an integer, is too long, or contains a syntax error. Remediation: The Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers. Invalid path The path setting does not contain a valid path. Remediation: Ensure the path-av attribute has a value that refers to an actual and existing forward path (yourdomain.com/path). No cookie pair No cookie pair found. Remediation: Ensure the “cookie pair” attribute in your Set-Cookie header exists and is used in the following manner: cookie-pair = cookie-name "=" cookie-value. See Set-Cookie syntax for additional details. No Set-Cookie For HTTP connections, no headers are graded unless Set-Cookie is defined. Remediation: Please review all header requirements. No Set-Cookie found For HTTP connections, no headers are graded unless Set-Cookie is defined. As of August 22, 2023, no new findings are associated with this message. Refer to No Set-Cookie for up-to-date messages. Remediation: Please review all header requirements. Define your set-cookie header to be graded as “GOOD” and enable grading for all other headers. Repeated ID Two or more cookies are using the same ID. Remediation: Ensure the first “name = value;” pair in your Set-Cookie header is not using a duplicated setting. Secure is not set The secure directive is not set. Remediation: Ensure the secure value in your Set-Cookie header is being used in your directive. WWW-Authenticate Header Authentication over HTTP Requiring authentication over HTTP. Remediation: Only use auth forms on HTTPS resources. X-Content-Type-Options Must be “nosniff” The first field should contain a “nosniff” value. Remediation: Set the value for X-Content-Type-Options to be “nosniff.” X-Frame-Options Too many directives Browsers only support one X-Frame-Options header and one value within that header. Remediation: Ensure the X-Frame-Options header contains either only the DENY or the SAMEORIGIN option. X-XSS-Protection Incompatible setting This setting is incompatible with earlier settings in this header. Remediation: Ensure that your settings do not conflict with each other, as specified in W3C Access Control for CSR. Must be “block” The mode must be set to “block,” as it is the only accepted value. Remediation: If X-XSS-Protection is enabled, the mode must be set to “block” and cannot be set to anything else. Must be 0 or 1 The first directive must be either “0 or “1,” as these are the only values that enable or disable the header. Remediation: The first directive in the X-XSS-Protection header must be 0 or 1, cannot be any other number or contain text. Report must be last The Report directive must come last, otherwise a client might ignore this value. Remediation: Ensure your X-XSS-Protection header directives are ordered correctly and that “Report” is the last directive. October 14, 2025: WAH non-graded. August 29, 2024: Linked to proper implementation resources. September 12, 2023: Published. Related articles How is the Web Application Headers Risk Vector Assessed? What Content-Security-Policy (CSP) Directives are Assessed? Web Application Header Findings Web Application Header Finding Grades TLS/SSL Finding Remediation & Remediation Verification Feedback 0 comments Please sign in to leave a comment.