The Web Application Headers risk vector is part of the Diligence risk category. It analyzes a variety of headers and their configurations to determine if security best practices are being followed. The entire header configuration (not individual errors) is analyzed.
See how the Diligence risk category is calculated.
The Web Application Headers (WAH) risk vector was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.
Resources
- Configuration Requirements
Requirements for configuring headers.
- Finding Grades
How Web Application Header findings are graded. Learn more about finding grades.
- Finding Messages
Details about the finding and remediation instructions.
- Required & Optional Headers
Assessed headers.
Web Application Header Concepts
Insufficient Data
A default risk vector grade is assigned if there is insufficient or no data.
Default:
[No Impact] – WAH was replaced with WAS in the RAU25 and will be deprecated. It is a non-graded risk vector and is assigned with an N/A grade.
Behavior:
- Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data.
- If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 340 days before being assigned the default grade.
Lifetime
Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.
Duration: 60 Days
Weight
Though the Web Application Headers risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings, this is an informational risk vector.
Weight: Not Applicable
- October 14, 2025: WAH non-graded.
- July 10, 2025: No longer rating-impacting due to the 2025 Ratings Algorithm Update.
- April 3, 2025: Behavior when we're temporarily unable to collect data.
- November 22, 2024: Default grading behavior updated.
Feedback
4 comments
Hi BitSight,
Have you considered the scenario when the CSP is added in the HTTP meta(https://content-security-policy.com/examples/meta/) instead of the HTTP response header?
Hello Marcus,
We consider CSP in HTML only if:
Refer to What Content-Security-Policy (CSP) directives are assessed? for more details.
The article links to pages that are not available for the required headers:
You're not authorized to access this page – Bitsight Knowledge Base (bitsighttech.com)
I'm sorry about the content not being available. That was not intended and is fixed now.
Please sign in to leave a comment.