The Web Application Headers risk vector contributes to how the Diligence risk category is calculated. It analyzes a variety of headers and their configurations to determine if security best practices are being followed. The entire header configuration (not individual errors) is analyzed.
Resources
- Configuration Requirements
- Requirements for configuring headers.
- Finding Grades
- How Web Application Header findings are graded. Learn more about finding grades.
- Finding Messages
- Details about the finding and remediation instructions.
- Required & Optional Headers
- Assessed headers.
Web Application Header Concepts
Insufficient Data
A default risk vector grade is assigned if there is insufficient or no data.
Default:
– This is set in the center of the grading scale for computing into security ratings.
Behavior:
- Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data.
- If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.
Lifetime
Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.
Duration: 60 Days
Weight
The Web Application Headers risk vector contributes to the weight of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.
Percentage (out of 70.5% in Diligence): 5%
- April 3, 2025: Behavior when we're temporarily unable to collect data.
- November 22, 2024: Default grading behavior updated.
- August 16, 2024: Moved sections to their own pages, linked to them, and provided more context on their contents.
Feedback
4 comments
Hi BitSight,
Have you considered the scenario when the CSP is added in the HTTP meta(https://content-security-policy.com/examples/meta/) instead of the HTTP response header?
Hello Marcus,
We consider CSP in HTML only if:
Refer to What Content-Security-Policy (CSP) directives are assessed? for more details.
The article links to pages that are not available for the required headers:
You're not authorized to access this page – Bitsight Knowledge Base (bitsighttech.com)
I'm sorry about the content not being available. That was not intended and is fixed now.
Please sign in to leave a comment.