How is the Web Application Headers Risk Vector Assessed? Ingrid The Web Application Headers risk vector is part of the Diligence risk category. It analyzes a variety of headers and their configurations to determine if security best practices are being followed. The entire header configuration (not individual errors) is analyzed.See how the Diligence risk category is calculated.The Web Application Headers (WAH) risk vector was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.Resources Configuration Requirements Requirements for configuring headers. Finding Grades How Web Application Header findings are graded. Learn more about finding grades. Finding Messages Details about the finding and remediation instructions. Required & Optional Headers Assessed headers. Web Application Header Concepts Insufficient Data A default risk vector grade is assigned if there is insufficient or no data. Default: [No Impact] – WAH was replaced with WAS in the RAU25 and will be deprecated. It is a non-graded risk vector and is assigned with an N/A grade. Behavior: Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 340 days before being assigned the default grade. Lifetime Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period. Duration: 60 Days Weight Though the Web Application Headers risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings, this is an informational risk vector. Weight: Not Applicable October 14, 2025: WAH non-graded. July 10, 2025: No longer rating-impacting due to the 2025 Ratings Algorithm Update. April 3, 2025: Behavior when we're temporarily unable to collect data. November 22, 2024: Default grading behavior updated. Related articles How is the Insecure Systems Risk Vector Assessed? TLS/SSL Finding Remediation & Remediation Verification What is Content-Security-Policy (CSP)? Certificate Authorities Feedback 4 comments Sort by Date Votes Marcus Chen June 01, 2020 05:32 Edited Hi BitSight,Have you considered the scenario when the CSP is added in the HTTP meta(https://content-security-policy.com/examples/meta/) instead of the HTTP response header? 0 Ingrid June 04, 2020 15:32 Hello Marcus, We consider CSP in HTML only if: The HTML head element is an ancestor. The policy is inside a meta element, like so: http-equiv=="Content-Security-Policy" Refer to What Content-Security-Policy (CSP) directives are assessed? for more details. 1 Maartje de Groot September 03, 2024 11:38 The article links to pages that are not available for the required headers:You're not authorized to access this page – Bitsight Knowledge Base (bitsighttech.com) 1 Ingrid September 20, 2024 15:14 I'm sorry about the content not being available. That was not intended and is fixed now. 0 Please sign in to leave a comment.