Ratings Algorithm Update: Web Application Risk Vectors – February 5, 2025 Ingrid The Web Application Security risk vector is planned to become rating impacting and is replacing Web Application Headers for the Ratings Algorithm Update (RAU) scheduled for July 10, 2025. The Web Application Headers risk vector will be available as an informational risk vector until it is eventually deprecated. Refer to the migration plan and adjustments to the possible finding grades and weights of assessments and refer to the Ratings Preview to begin preparations. Migration from Web Application Headers to Web Application Security Migration from Web Application Header data to Web Application Security assessments: Changes for Required Headers Changes for Optional Headers Changes for Content Checks Changes for Required Headers Cache-Control Required for HTTP/1.1 Change: Dropped. No relevant security impact. Content-Security-Policy Required for HTTP/1.0 - HTTP/1.1 Change: Content Security Policy Configurations assessment. Expires Required for HTTP/1.0 Change: Dropped. No relevant security impact. HTTP Strict-Transport-Security (HSTS) Required for HTTP/1.0 - HTTP/1.1 Change: HSTS Preload Directive Present assessment. X-Content-Type-Options Required for HTTP/1.0 - HTTP/1.1 Change: Dropped. No relevant security impact. Changes for Optional Headers Location Required for HTTP/1.0 - HTTP/1.1 This is not directly graded (used for redirects). Change: HTTPS to HTTP Redirects assessment. Set-Cookie Required for HTTP/1.0 - HTTP/1.1 Change: Will be used to validate specific cookie related assessments. Secure Cookie Set on an Insecure Channel assessment. Cookie SameSite Attribute assessment. WWW-Authenticate Required for HTTP/1.0 - HTTP/1.1 Not graded directly. Used for HTTP 401 checks. Change: Authentication on Insecure Channel assessment. X-Frame-Options Required for HTTP/1.0 - HTTP/1.1 Change: Content Security Policy Configurations assessment. X-XSS-Protection Required for HTTP/1.0 - HTTP/1.1 Change: Content Security Policy Configurations assessment. Changes for Content Checks Websites with mixed HTTP and HTTPS content. Change: Mixed Content Intra-site URLs are evaluated for HTTPS protocol use. Change: Mixed Content Redirects from HTTPS to HTTP. Change: HTTPS to HTTP Redirects Check if the “WWW-Authenticate” is contained in an HTTP 401 response from non-HTTPS events. Change: Authentication on Insecure Channel Assessment Grade and Weight Adjustments The following adjustments were implemented on December 16, 2024. ❖ Negative weights result in a positive impact for assessments. Cross-Site Scripting Adjustments to Cross-Site Scripting assessments: Cross-Domain Subresource Integrity Check Minimum weight: -3 increased to -0.3 ❖ Maximum weight: 1 decreased to 0.1 Possible Grades: Weight = ≤0 Weight = Between >0 and ≤0.1 Cross-Domain Subresource Integrity Failure Minimum weight: 0 Maximum weight: 5 increased to 50 Possible Grades: (Added) Weight = 0 Weight = Between ≥10 and ≤50 Content Security Policy Violations Minimum weight: 0 Maximum weight: 1 increased to 100 Possible Grades: (Added) Weight = 0 (Removed) Weight = Between ≥10 and ≤100 Content Security Policy Configurations Minimum weight: 0 Maximum weight: 1.1 decreased to 0.1 Possible Grades: Weight = 0 Weight = Between >0 and ≤0.1 (Removed) (Removed) Components with Known Vulnerabilities Adjustments to Components with Known Vulnerabilities assessments: JavaScript Libraries with Known Vulnerabilities Minimum weight: 0 Maximum weight: Unbounded decreased to 10101 Possible Grades: Weight = 0 Weight = Between >0 and <10 Weight = Between ≥10 and <1000 Weight = Between ≥1000 and ≤10101 Broken Authentication and Access Control Adjustments to Broken Authentication and Access Control assessments: CMS Administration Portal Exposed Weight: 1 increased to 10 Possible Grades: Weight = 10 Cross-Site Request Forgery (CSRF) Mitigations Present Weight: Not Applicable Possible Grades: Authentication on Insecure Channel Minimum weight: 0 Maximum weight: 10 increased to 1000 Possible Grades: Weight = 0 Weight = 10 Weight = 1000 Sensitive Data Exposure Adjustments to Sensitive Data Exposure assessments: Secure Cookie Set on an Insecure Channel Weight: Not Applicable Possible Grades: Mixed Content Minimum weight: 0 Maximum weight: Unbounded decreased to 10101 Possible Grades: (Added) Weight = 0 Weight = Between >0 and <10 Weight = Between ≥10 and <1000 Weight = Between ≥1000 and ≤10101 Session Token in URL Weight: Not Applicable Possible Grades: HSTS Preload Directive Present Weight: -0.1 ❖ Possible Grades: Weight = -0.1 Cookie SameSite Attribute Weight: Not Applicable Possible Grades: Cookie SameSite Blocked Minimum weight: 0 Maximum weight: 0.1 Possible Grades: Weight = 0 Weight = 0.1 Unsafe Referrer Policy Weight: 0.1 Possible Grades: Weight = 0.1 Security Misconfiguration Adjustments to Security Misconfiguration assessments: Internal Server Error Weight: 1 increased to 10 Possible Grades: Weight = 10 Reverse Tabnabbing Weight: Not Applicable Possible Grades: Directory Listing Exposure Weight: Not Applicable Possible Grades: CORS Violation Minimum weight: 0 Maximum weight: 1 Possible Grades: Weight = 0 Weight = Between >0 and ≤1 (Removed) Overly-Permissive CORS Whitelist Minimum weight: 0 Maximum weight: 1 increased to 10 Possible Grades: (Added) Weight = 0 Weight = 10 HTTPS to HTTP Redirects Weight: 1 increased to 1000 Possible Grades: (Removed) Weight = 1000 Related articles Finding Behavior GET: Finding Details TLS/SSL Finding Remediation & Remediation Verification Finding Rescan: Asset Not Found and Assumed Remediated Attack Surface: Infrastructure Feedback 0 comments Please sign in to leave a comment.