Only the HTTP headers of hosts that return HTTP 200 responses are assessed. The following headers are assessed for the Web Application Headers risk vector:
Access-Control-Allow-Origin
Cache-Control
Content-Security-Policy
Expires
- HTTP
Strict-Transport-Security
(HSTS) Set-Cookie
X-Content-Type-Options
X-Frame-Options
(Frame-Options)X-XSS-Protection
Required Headers
These are important for preventing attacks and are checked for usage and correct configurations. If an application header exists and the required header is not found in the findings, the company is penalized on missing headers. The penalties are described in configuration requirements.
Header | Required For |
---|---|
|
HTTP/1.1 |
|
|
|
HTTP/1.0 |
HTTP |
|
|
|
Optional Headers
Optional headers may be present, in addition to required headers.
- Misconfigured or improperly formatted optional headers negatively impact the finding grade. If present, optional headers are verified that they are configured correctly and go towards the requirements as a whole for a GOOD or FAIR finding grade.
- The absence of optional headers does not impact the risk vector grade. If not present, companies are not penalized since they are unnecessary for preventing malicious actions.
Header | Optional For |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
- August 16, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.