Ratings Algorithm Update: Web Application Risk Vectors – February 5, 2025

The Web Application Security risk vector is planned to become rating impacting and is replacing Web Application Headers for the 2025 Ratings Algorithm Update (RAU). The Web Application Headers risk vector will be available as an informational risk vector until it is eventually deprecated.

Refer to the migration plan and adjustments to the possible finding grades and weights of assessments.

Migration from Web Application Headers to Web Application Security

Migration from Web Application Header data to Web Application Security assessments:

• Changes for Required Headers
• Changes for Optional Headers
• Changes for Content Checks

Changes for Required Headers

Cache-Control

Required for HTTP/1.1

Change: Dropped. No relevant security impact.

Content-Security-Policy

Required for HTTP/1.0 - HTTP/1.1

Change: Content Security Policy Configurations assessment.

Expires

Required for HTTP/1.0

Change: Dropped. No relevant security impact.

HTTP Strict-Transport-Security (HSTS)

Required for HTTP/1.0 - HTTP/1.1

Change: HSTS Preload Directive Present assessment.

X-Content-Type-Options

Required for HTTP/1.0 - HTTP/1.1

Change: Dropped. No relevant security impact.

Changes for Optional Headers

Access-Control-Allow-Origin

Required for HTTP/1.0 - HTTP/1.1

Change: Dropped. No relevant security impact.

Location

Required for HTTP/1.0 - HTTP/1.1

This is not directly graded (used for redirects).

Change: HTTPS to HTTP Redirects assessment.

Set-Cookie

Required for HTTP/1.0 - HTTP/1.1

Change: Will be used to validate specific cookie related assessments.

• Secure Cookie Set on an Insecure Channel assessment.
• Cookie SameSite Attribute assessment.

WWW-Authenticate

Required for HTTP/1.0 - HTTP/1.1

Not graded directly. Used for HTTP 401 checks.

Change: Authentication on Insecure Channel assessment.

X-Frame-Options

Required for HTTP/1.0 - HTTP/1.1

Change: Content Security Policy Configurations assessment.

X-XSS-Protection

Required for HTTP/1.0 - HTTP/1.1

Change: Content Security Policy Configurations assessment.

Changes for Content Checks

Websites with mixed HTTP and HTTPS content.

Change: Mixed Content

Intra-site URLs are evaluated for HTTPS protocol use.

Change: Mixed Content

Redirects from HTTPS to HTTP.

Change: HTTPS to HTTP Redirects

Check if the “WWW-Authenticate” is contained in an HTTP 401 response from non-HTTPS events.

Change: Authentication on Insecure Channel

Assessment Grade and Weight Adjustments

The following adjustments were implemented on December 16, 2024.

❖ Negative weights result in a positive impact for assessments.

Cross-Site Scripting

Adjustments to Cross-Site Scripting assessments:

Cross-Domain Subresource Integrity Check

Minimum weight: -3 increased to -0.3 ❖

Maximum weight: 1 decreased to 0.1

Possible Grades:

Weight = ≤0

Weight = Between >0 and ≤0.1

Cross-Domain Subresource Integrity Failure

Minimum weight: 0

Maximum weight: 5 increased to 50

Possible Grades:

(Added)

Weight = 0

Weight = Between ≥10 and ≤50

Content Security Policy Violations

Minimum weight: 0

Maximum weight: 1 increased to 100

Possible Grades:

(Added)

Weight = 0

(Removed)

Weight = Between ≥10 and ≤100

Content Security Policy Configurations

Minimum weight: 0

Maximum weight: 1.1 decreased to 0.1

Possible Grades:

Weight = 0

Weight = Between >0 and ≤0.1

(Removed)

(Removed)

Components with Known Vulnerabilities

Adjustments to Components with Known Vulnerabilities assessments:

JavaScript Libraries with Known Vulnerabilities

Minimum weight: 0

Maximum weight: Unbounded decreased to 10101

Possible Grades:

Weight = 0

Weight = Between >0 and <10

Weight = Between ≥10 and <1000

Weight = Between ≥1000 and ≤10101

Broken Authentication and Access Control

Adjustments to Broken Authentication and Access Control assessments:

CMS Administration Portal Exposed

Weight: 1 increased to 10

Possible Grades:

Weight = 10

Cross-Site Request Forgery (CSRF) Mitigations Present

Weight: Not Applicable

Possible Grades:

Authentication on Insecure Channel

Minimum weight: 0

Maximum weight: 10 increased to 1000

Possible Grades:

Weight = 0

Weight = 10

Weight = 1000

Sensitive Data Exposure

Adjustments to Sensitive Data Exposure assessments:

Secure Cookie Set on an Insecure Channel

Weight: Not Applicable

Possible Grades:

Mixed Content

Minimum weight: 0

Maximum weight: Unbounded decreased to 10101

Possible Grades:

(Added)

Weight = 0

Weight = Between >0 and <10

Weight = Between ≥10 and <1000

Weight = Between ≥1000 and ≤10101

Session Token in URL

Weight: Not Applicable

Possible Grades:

HSTS Preload Directive Present

Weight: -0.1 ❖

Possible Grades:

Weight = -0.1

Cookie SameSite Attribute

Weight: Not Applicable

Possible Grades:

Cookie SameSite Blocked

Minimum weight: 0

Maximum weight: 0.1

Possible Grades:

Weight = 0

Weight = 0.1

Unsafe Referrer Policy

Weight: 0.1

Possible Grades:

Weight = 0.1

Security Misconfiguration

Adjustments to Security Misconfiguration assessments:

Internal Server Error

Weight: 1 increased to 10

Possible Grades:

Weight = 10

Reverse Tabnabbing

Weight: Not Applicable

Possible Grades:

Directory Listing Exposure

Weight: Not Applicable

Possible Grades:

CORS Violation

Minimum weight: 0

Maximum weight: 1

Possible Grades:

Weight = 0

Weight = Between >0 and ≤1

(Removed)

Overly-Permissive CORS Whitelist

Minimum weight: 0

Maximum weight: 1 increased to 10

Possible Grades:

(Added)

Weight = 0

Weight = 10

HTTPS to HTTP Redirects

Weight: 1 increased to 1000

Possible Grades:

(Removed)

Weight = 1000