https://api.bitsighttech.com/ratings/v1/companies/company_guid/findings?risk_vector=web_appsec
Get sensitive data exposure evidence, including:
- Cookie SameSite Attribute
- Cookie SameSite Blocked
- HSTS Preload Directive Present
- Mixed Content
- Secure Cookie Set on Insecure Channel
- Session Token in URL
- Unsafe Referrer Policy
For details specific to Web Application Security, use the ?risk_vector=web_appsec parameter. Other query parameters are listed in GET: Finding Details.
Cookie SameSite Attribute
[assessmentName = cookie_same_site_attribute]
Example Response
{
"name": "TS0...b0b",
"message": "Cookie does not have the SameSite attribute",
"value": "017aab903c93f57f8079...2ba5a47e3e6799c7f53c",
"attributes": "TS0...b0b=017aab903c93f57f8079...2ba5a47e3e6799c7f53c; Path=/; Domain=url; Secure",
⊕ See additional evidences
}
Response Attributes
| Field | Description |
|---|---|
name String |
The cookie name. |
message String |
A summary of the issue. |
value String |
The value contained in the cookie. |
attributes String |
Attributes associated with the cookie. |
Cookie SameSite Blocked
[assessmentName = cookie_same_site_blocked]
Example Response
{
"name": "ENTRY_KEY",
"message": "A cookie was blocked due to SameSite policy violation for reason EXCLUDE_SAME_SITE_UNSPECIFIED_TREATED_AS_LAX",
"resolution": "blocked",
"attributes": "path=/; domain=url",
"resourceUrl": "url",
⊕ See additional evidences
}
Response Attributes
| Field | Description |
|---|---|
name String |
The cookie name. |
message String |
A summary of the issue. |
resolution String |
|
attributes String |
Attributes associated with this link. |
resourceUrl String |
The resource URL that had the CSP violation. |
HSTS Preload Directive Present
[assessmentName = hsts_preload_present]
Example Response
{
"header": "Strict-Transport-Security",
"value": "max-age=63072000; includeSubDomains; preload",
⊕ See additional evidences
}
Response Attributes
| Field | Description |
|---|---|
header String |
The name of the HTTP header. |
value String |
The value of the HTTP header. |
Mixed Content
[assessmentName = mixed_content]
Example Response
{
"type": "IMAGE",
"resolution": "upgraded",
"resource": "url",
"details": "Mixed Content: The page at 'url' was loaded over HTTPS, but requested an insecure element 'url'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html",
⊕ See additional evidences
}
Response Attributes
| Field | Description |
|---|---|
type String |
The resource type. |
resolution String |
The action the browser took when loading the resource. |
resource String |
A link to the resource as defined in the web application. |
details String |
The resolution reason provided by the browser. |
Secure Cookie Set on Insecure Channel
[assessmentName = secure_cookie_on_insecure_channel]
Example Response
{
"name": "GUEST_LANGUAGE_ID",
⊕ See additional evidences
}
Response Attributes
| Field | Description |
|---|---|
name String |
The cookie name. |
Session Token in URL
[assessmentName = session_token_in_url]
Example Response
{
"name": "id",
"value": "0987654321",
"resource": "url",
⊕ See additional evidences
}
Response Attributes
| Field | Description |
|---|---|
name String |
The attribute name. |
value String |
The value of the session token. |
resource String |
The session token URL. |
Unsafe Referrer Policy
[assessmentName = unsafe_referrer_policy]
Example Response
{
"header": "Referrer-Policy",
"value": "unsafe-url",
⊕ See additional evidences
}
Response Attributes
| Field | Description |
|---|---|
header String |
The header name. |
value String |
The header value. |
- December 12, 2023: Included general finding details; Added table of contents.
- August 11, 2023: Published.
Feedback
0 comments
Please sign in to leave a comment.