Web Application Headers: Required & Optional Headers Ingrid The Web Application Headers (WAH) risk vector was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.⇤ MethodologyRequired HeadersThese are important for preventing attacks and are checked for usage and correct configurations. If an application header exists and the required header is not found in the findings, the company is penalized on missing headers. The penalties are described in configuration requirements. Header Required For Cache-Control Overview HTTP/1.1 Content-Security-Policy Overview HTTP/1.1 HTTP/1.0 Expires Overview HTTP/1.0 HTTP Strict-Transport-Security (HSTS) Overview HTTP/1.1 HTTP/1.0 X-Content-Type-Options Overview HTTP/1.1 HTTP/1.0 Optional HeadersOptional headers may be present, in addition to required headers. Misconfigured or improperly formatted optional headers negatively impact the finding grade. If present, optional headers are verified that they are configured correctly and go towards the requirements as a whole for a GOOD or FAIR finding grade. The absence of optional headers does not impact the risk vector grade. If not present, companies are not penalized since they are unnecessary for preventing malicious actions. Header Optional For Access-Control-Allow-Origin Overview HTTP/1.0 HTTP/1.1 Location Overview HTTP/1.0 HTTP/1.1 Set-Cookie Overview HTTP/1.0 HTTP/1.1 WWW-Authenticate Overview HTTP/1.0 HTTP/1.1 X-Frame-Options Overview HTTP/1.0 HTTP/1.1 X-XSS-Protection Overview HTTP/1.0 HTTP/1.1 October 15, 2025: WAH non-graded. August 16, 2024: Published. Related articles How is the Web Application Headers Risk Vector Assessed? What is Content-Security-Policy (CSP)? Web Application Header Finding Messages TLS/SSL Finding Remediation & Remediation Verification Web Application Header Finding Grades Feedback 0 comments Please sign in to leave a comment.