⇤ How is the Diligence Risk Category Calculated?
The Web Application Headers risk vector analyzes a variety of headers and their configurations to determine if security best practices are being followed. The entire header configuration (not individual errors) is analyzed.
Resources
Resource | Description |
---|---|
Configuration Requirements | Requirements for configuring headers. |
Finding Grades | How Web Application Header findings are graded. Learn more about finding grades. |
Finding Messages | Details about the finding and remediation instructions. |
Required & Optional Headers | Assessed headers. |
Impact
❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned.
Concept | Behavior |
---|---|
A default risk vector grade is assigned. |
Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings. |
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 60 Days |
Percentage (out of 70.5% in Diligence): 5% |
- November 22, 2024: Default grading behavior updated.
- August 16, 2024: Moved sections to their own pages, linked to them, and provided more context on their contents.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
Feedback
4 comments
Hi BitSight,
Have you considered the scenario when the CSP is added in the HTTP meta(https://content-security-policy.com/examples/meta/) instead of the HTTP response header?
Hello Marcus,
We consider CSP in HTML only if:
Refer to What Content-Security-Policy (CSP) directives are assessed? for more details.
The article links to pages that are not available for the required headers:
You're not authorized to access this page – Bitsight Knowledge Base (bitsighttech.com)
I'm sorry about the content not being available. That was not intended and is fixed now.
Please sign in to leave a comment.