Publication Date – September 12, 2023
⇤ Web Application Header Findings
Access-Control-Allow-Origin Header
See proper implementation.
| Message |
Description |
Remediation |
| “null” must be lowercase |
A “null” setting must be lowercase. |
Use only lowercase letters for the “null” value. |
| Can only be used for first setting |
A “*” or “null” can only be used for the first setting. |
Ensure the first values in the setting are either “*” or “null” (lowercase only). |
| Duplicate entries |
There are duplicate entries. |
Remove duplicate entries and ensure the remaining values are formatted correctly. |
| Incompatible setting |
This setting is incompatible with earlier settings in this header. |
Ensure your settings do not conflict with each other, as specified in W3C Access Control for CSR. |
Cache Control
| Message |
Description |
Remediation Instructions |
| Cannot be negative |
This directive must be set to a value greater than or equal to zero. |
When specifying max-age or any other number in your Cache-Control header, it must be an integer greater than or equal to 0. |
| Directive used multiple times |
This directive can only be used once. |
Remove duplicate directives from your policy. |
| Insecure configuration |
This cache-control configuration is insecure. |
To satisfy this requirement, there are two choices. The first choice is to use the directive "max-age=N" with Cache-Control where N is an integer greater than or equal to zero. The second choice is to set the Expires header. For example, you can set Expires to “0,” or if desired, set to a negative value to disable caching. See RFC-7234 (sections 5.2 and 5.3) for more info. |
| Must be a quoted string |
This value must be a string contained within double quotes. |
Ensure the attribute begins and ends with double quotation marks (") and (") and does not contain smart typographer's quotes (“) and (”). |
| Must be an integer |
The max-age value must be an integer. |
Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers. |
| Public and private directives |
Public and private directives cannot be set simultaneously. |
Choose either the “public” or “private” value in your directive, but not both. |
| Satisfied by Expires header |
Cache-Control is effectively implemented by the presence of the Expires header. |
|
| Value is missing |
The cache-control value is missing. |
Implement Cache-Control correctly, according to RFC-7234. |
| Value not allowed |
This cache-control value is not allowed for this directive. |
Use correct values. Please see RFC-7234 for a comprehensive overview of cache-control. |
Content-Security-Policy
Unsafe Keywords and Sources
Content-Security-Policy (CSP) allows resources to be fetched from unsafe sources and can facilitate XSS by allowing code to be included directly in the document.
| Message |
Description |
Remediation Instructions |
| “Unsafe-eval” is insecure |
Unsafe-eval is vulnerable to XSS attacks. |
Remove the “unsafe-eval” keyword from your CSP. |
| “Unsafe-inline” is insecure |
Unsafe-inline is vulnerable to XSS attacks. |
Remove the “unsafe-inline” keyword from your CSP. |
| Insecure redirect |
This security policy allows a redirect that is not secure. |
Remove any use of unsafe-redirect in your CSP. |
| “Blob” source is insecure |
The “blob” source may allow the loading of unsafe resources. |
Remove “blob:” from the source list in your CSP. |
| “Data” source is insecure |
The “data” source may allow the loading of unsafe resources. |
Remove “data:” from the source list in your CSP. |
| “Filesystem” source is insecure |
The “filesystem” source may allow the loading of unsafe resources. |
Remove “filesystem:” from the source list in your CSP. |
| Potentially insecure policy |
This CSP has issues that possibly makes it insecure. |
Remove any instances of “unsafe-” directives and “blob, data, filesystem” sources. Ensure your CSP directives are correctly configured. Learn more at W3C CSP. |
Unspecified or Invalid Sources
The policy fails to specify directive sources or incorporates a wildcarded source.
| Message |
Description |
Remediation Instructions |
| Asterisks in the source are insecure |
This source allows potentially unsafe resources to be loaded from anywhere. |
Remove any instances of the asterisk character (*) that are by itself from your CSP. |
| Source is too broad |
This source is too broad to properly prevent attacks. |
Use specific sources, such as https://www.example.com. Remove generalizations, such as http:, https:, https://*.com. Make sure the source is not in Mozilla's Public Suffix list; sources from this list will cause this error. |
| Conflicting source expressions |
The “none” source expression, which represents a lack of URLs, is listed along with other URLs. |
Choose either “none” or specify source URLs, but do not use both in your CSP. |
| Default-src inherited |
This directive was not explicitly specified, so the default-src will be used instead. |
Set specific policies for your directives. Otherwise, the default-src directive will be used instead. |
| Invalid host source |
The host source is invalid or improperly formatted. |
Ensure your host source is properly formatted in your CSP. Learn more at W3C CSP. |
| Invalid source expression |
This source can not be included in a CSP. |
Use only valid source expressions in your CSP. Learn more at W3C CSP. |
| Missing default-src |
The default-src directive is not set. |
Use the default-src directive in your CSP, as specified in W3C CSP. |
| Missing source list |
There is no source list in this CSP. |
Add components to the source list for your CSP. Learn more at W3C CSP. |
Invalid Directives
The policy contains directives that are invalid or circumvent other directives. The policy is likely not operating as intended.
| Message |
Description |
Remediation Instructions |
| Directive is not allowed |
This is not a valid directive for this HTTP header. |
Ensure your directives use approved expressions and they do not contain spelling errors. |
| Directive used multiple times |
This directive can only be used once. |
Remove duplicate directives from your policy. |
| Empty policy |
This security policy has no sources, rendering it ineffective. |
Make sure that your source-list is not empty and refers to complete URLs or IP addresses, as described in Policy Delivery: Content-Security-Policy Header Field (section 3.1). |
| Header overwritten |
Another header has overwritten this CSP, rendering it invalid. |
Check your CSP headers and ensure that your headers do not conflict with each other. |
| Header set more than once |
This header cannot be set more than once. |
Remove duplicate headers and duplicate header definitions from your HTTP headers. |
Expires Header
| Message |
Description |
Remediation |
| Expires date is invalid |
The Expires date is invalid or improperly formatted. |
Ensure the field contains a valid date in the format specified by RFC-7231. For example, “Sun, 06 Nov 1994 08:49:37 GMT.” |
| Expires date is too far in the future |
The Expires date should not be more than a year in the future. |
Change the date to be no more than one year ahead of the current day. |
HTTP Downgrade
Links are evaluated to determine if any link results in a downgrade of the recipient, from an HTTPS connection to an HTTP connection.
| Message |
Description |
Remediation Instructions |
| HTTPS to HTTP link (intra-domain) |
HTTPS webpage with internal HTTP link to same domain. |
Avoid using HTTP links on HTTPS webpages. |
| HTTPS to HTTP link (intra-site) |
HTTPS webpage with internal HTTP link to same site. |
Avoid using HTTP links on HTTPS webpages. |
HTTP Strict-Transport-Security (HSTS)
| Message |
Description |
Remediation Instructions |
| Directive used multiple times |
This directive can only be used once. |
Remove duplicate directives from your policy. |
| “includeSubDomains” is misspelled |
The “includeSubDomains” phrase is misspelled. |
Ensure the capitalization for “includeSubDomains” is exact. |
| Invalid max-age |
This field is not an integer, is too long, or contains a syntax error. |
The Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers. |
| Max-age is not set |
Max-age is a required directive used to help prevent man-in-the-middle (MITM) attacks. |
Use the max-age directive in your HTTP Strict-Transport-Security header, as specified in RFC-6797 (section 6.1.1). Ensure it contains only a positive number. To avoid the “max-age is too small” warning, set the max-age to at least 86400. |
| Max-age is too small |
The Max-age should be set to at least 86400. |
Change the max-age directive in your HTTP Strict-Transport-Security header to be greater than or equal to 86400. |
| “Preload” is misspelled |
The word “preload” is misspelled. |
Ensure “preload” is spelled correctly. |
| Message |
Description |
Remediation Instructions |
| Ineffective headers: |
The implementation of these header(s) do not follow security best practices. |
Ensure your headers are implemented correctly, as outlined in RFC-7231. Your headers should not permit caching of encrypted content. They should also have specific permissions (as opposed to using wildcards or other generalizations) and be formatted properly. |
| Optional headers ineffective: [HTML_REMOVED] |
The following number of headers are formatted in a way that makes them ineffective. |
Format your headers correctly, as outlined in RFC-7230 (section 3.2). |
| Required headers ineffective: [HTML_REMOVED] |
The following number of headers are formatted in a way that makes them ineffective. |
Format your headers correctly, as outlined in RFC-7230 (section 3.2). |
Invalid
| Message |
Description |
Remediation Instructions |
| Invalid character |
This response contains invalid characters. |
Responses may only include any ASCII character, except control characters, and allowed separator characters, as specified in RFC-2616 (section 4.2). |
| Invalid URL |
The URL specified by this directive is not valid. |
Ensure the URL is correctly formatted and is a valid and existing URL. |
| Must be a valid integer |
This value must be a valid integer between -2^31 and 2^31 -1. |
Ensure the value is a valid integer and does not contain any other characters, aside from numbers. |
| Value not allowed |
No value is allowed for this directive. |
Do not include a value along with this directive; it is directive-only. |
Location Header
| Message |
Description |
Remediation Instructions |
| HTTPS redirect to HTTP. |
HTTPS URI is redirecting to HTTP URI. |
Avoid downgrading user connections from secure to insecure. Learn why… |
Missing Data
| Message |
Description |
Remediation Instructions |
| Header is missing |
This required header was not found. |
Ensure your policy correctly implements the required headers. See required headers. |
| Missing directive |
A required directive cannot be found. |
Ensure your policy correctly implements the required headers. See required headers. |
| Missing required headers |
One or more required security headers are not set. |
Ensure your policy correctly implements the required headers. required headers. |
| Missing URL |
There is no URL specified by this directive. |
Include a valid and existing URL. Ensure it is correctly formatted. |
| No security headers are set |
None of the security headers are set. |
Set your security headers. Refer to the Veracode: Guidelines for Setting Security Headers and the required headers. |
| No value set |
A value is expected for this directive, but none are set. |
Ensure that you have set a value for this directive. |
| Required headers not set: [HTML_REMOVED] |
The following number of required headers are not set. |
Ensure your policy correctly implements the required headers. |
Redirects
Sites with a confirmed immediate redirect (using a redirect code 301, 302, 307) are graded as NEUTRAL. Resources are evaluated to check if any external dependency is used through HTTP (non-HTTPS) that might leave the application users at risk.
| Message |
Description |
Remediation Instructions |
| HTTP external resource on HTTPS. |
HTTPS webpage with an external HTTP resource. |
Avoid using HTTP external resources on HTTPS webpages. |
| Redirect |
The page redirected to a different hostname or IP using a 301, 302, or 307 status code. |
|
Set-Cookie Header
HTTP headings are not graded unless the Set-cookie header is set.
| Message |
Description |
Remediation Instructions |
| Empty cookie value |
The cookie value is empty. |
The “cookie-value” field cannot be empty. Ensure it is a valid cookie ID, enclosed in double quotes, and contains only valid ASCII characters. |
| Invalid character |
There is an invalid character in the cookie value. |
Make sure that in your Set-Cookie header, the cookie-value attribute contains only US-ASCII characters (excluding CTLs), whitespace, commas, semicolons, and backslashes. See Set-Cookie syntax. |
| Invalid cookie pair |
The cookie name-value pair is invalid. |
Ensure the cookie-name, cookie-value, and cookie-pair attributes are used correctly and have correct values in your Set-Cookie header. See Set-Cookie syntax for additional details. |
| Invalid domain |
This field does not contain a valid domain. |
Ensure the domain-value attribute in your Set-Cookie header has a value that refers to an existing domain, is spelled correctly, and if it is an IP address, that it is complete. |
| Invalid expires value |
The Expires date is invalid or is improperly formatted. |
Ensure the field contains a valid date in the format specified by RFC-7231. For example, “Sun, 06 Nov 1994 08:49:37 GMT.” |
| Invalid max-age |
This field is not an integer, is too long, or contains a syntax error. |
The Max-age must be an integer between -2 ^ 31 and 2 ^ 31 - 1 and cannot contain any other characters aside from numbers. |
| Invalid path |
The path setting does not contain a valid path. |
Ensure the path-av attribute has a value that refers to an actual and existing forward path (yourdomain.com/path). |
| No cookie pair |
No cookie pair found. |
Ensure the “cookie pair” attribute in your Set-Cookie header exists and is used in the following manner: cookie-pair = cookie-name "=" cookie-value. See Set-Cookie syntax for additional details. |
| No Set-Cookie |
For HTTP connections, no headers are graded unless Set-Cookie is defined. |
Please review all header requirements. |
| No Set-Cookie found |
For HTTP connections, no headers are graded unless Set-Cookie is defined.
As of August 22, 2023, no new findings are associated with this message. Refer to No Set-Cookie for up-to-date messages.
|
Please review all header requirements. Define your set-cookie header to be graded as “GOOD” and enable grading for all other headers. |
| Repeated ID |
Two or more cookies are using the same ID. |
Ensure the first “name = value;” pair in your Set-Cookie header is not using a duplicated setting. |
| Secure is not set |
The secure directive is not set. |
Ensure the secure value in your Set-Cookie header is being used in your directive. |
WWW-Authenticate Header
See proper implementation.
| Message |
Description |
Remediation |
| Authentication over HTTP. |
Requiring authentication over HTTP. |
Only use auth forms on HTTPS resources. |
X-Content-Type-Options
| Message |
Description |
Remediation Instructions |
| Must be “nosniff” |
The first field should contain a “nosniff” value. |
Set the value for X-Content-Type-Options to be “nosniff.” |
X-Frame-Options
| Message |
Description |
Remediation Instructions |
| Too many directives |
Browsers only support one X-Frame-Options header and one value within that header. |
Ensure the X-Frame-Options header contains either only the DENY or the SAMEORIGIN option. |
X-XSS-Protection
| Message |
Description |
Remediation |
| Incompatible setting |
This setting is incompatible with earlier settings in this header. |
Ensure that your settings do not conflict with each other, as specified in W3C Access Control for CSR. |
| Must be “block” |
The mode must be set to “block,” as it is the only accepted value. |
If X-XSS-Protection is enabled, the mode must be set to “block” and cannot be set to anything else. |
| Must be 0 or 1 |
The first directive must be either “0 or “1,” as these are the only values that enable or disable the header. |
The first directive in the X-XSS-Protection header must be 0 or 1, cannot be any other number or contain text. |
| Report must be last |
The Report directive must come last, otherwise a client might ignore this value. |
Ensure your X-XSS-Protection header directives are ordered correctly and that “Report” is the last directive. Read more at Guidelines for Setting Security Headers. |
