Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

How is the Web Application Headers Risk Vector Assessed?

Avatar
Ingrid
Follow
  • December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section.
  • April 20, 2023: 2023 RAU weight adjustment & grading when there are no findings.
  • October 20, 2021: Ratings Algorithm Update 2021.

⇤ How is the Diligence Risk Category Calculated?

A variety of HTTP headers are assessed for the Web Application Headers risk vector to determine if security best practices are being followed. Only the HTTP headers of hosts that return HTTP 200 responses are assessed. The entire header configuration (not individual errors) is assessed. See how Web Application Header findings are graded.

Learn why HTTPS is preferred over HTTP:

Sections

Field Description Details & Values
Finding Behavior

How findings behave, depending on the action taken.

Remediation may generate a new finding that does not replace the previous finding. Refer to finding considerations to see how Web Application Header findings are generated.
  • New findings immediately impact the grade.
  • Remediated findings:
    • The newest finding replaces the past finding and impacts the grade for 60 days, as it completes its lifetime.
    • The previous finding is replaced and stops impacting the grade.
Lifetime The number of days a finding will impact the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. 60 Days
No Findings The letter grade if there are no findings or only Neutral findings for this risk vector.

[Grade C] – “C” Letter Grade

Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings.

If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.
Refresh The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.
  Automated Scan Duration The duration of a regularly scheduled finding refresh, as the Bitsight platform checks for new observations. 60 Days
User-Requested Refresh Duration The duration of a user-requested refresh, which initiates a refresh of eligible findings upon request. This is recommended when a change in the finding is expected, such as when a finding has been remediated. 3 Days
Weight Out of 70.5% in Diligence. 5%

Content Checks

  • Websites with mixed HTTP and HTTPS content.
  • Intra-site URLs are evaluated for HTTPS protocol use.
  • Redirects from HTTPS to HTTP.
  • Check if the “WWW-Authenticate” is contained in an HTTP 401 response from non-HTTPS events.

⇪ Back to Directory

Assessed Headers

Required Headers

These are important for preventing attacks and are checked for usage and correct configurations. If an application header exists and the required header is not found in the findings, the company is penalized on missing headers. The penalties are described below under “Configuration Requirements.”

Header Required For

Cache-Control

 HTTP/1.1

Content-Security-Policy
  • HTTP/1.1
  • HTTP/1.0

Expires

 HTTP/1.0

HTTP Strict-Transport-Security (HSTS)
  • HTTP/1.1
  • HTTP/1.0

X-Content-Type-Options
  • HTTP/1.1
  • HTTP/1.0

Optional Headers

Optional headers may be present, in addition to required headers.

  • If present, optional headers are verified that they are configured correctly and go towards the requirements as a whole for a GOOD or FAIR finding grade.
  • If not present, companies are not penalized since they are unnecessary for preventing malicious actions.
Header Optional For

Access-Control-Allow-Origin
  • HTTP/1.0
  • HTTP/1.1

Location
  • HTTP/1.0
  • HTTP/1.1

Set-Cookie
  • HTTP/1.0
  • HTTP/1.1

WWW-Authenticate
  • HTTP/1.0
  • HTTP/1.1

X-Frame-Options
  • HTTP/1.0
  • HTTP/1.1

X-XSS-Protection
  • HTTP/1.0
  • HTTP/1.1

⇪ Back to Directory

Configuration Requirements

Requirements for GOOD grade: No misconfigured headers (required or optional) are present.

Requirements for FAIR grade: No more than 50% distinct misconfigured headers can be present (required and optional)

For HTTP connections, no headers are graded unless Set-Cookie is defined. The finding grade will default to NEUTRAL.

Required HTTP 1.1 (HTTPS):

  • Content-Security-Policy
  • HTTP Strict-Transport-Security
  • X-Content-Type-Options
  • Cache-Control

Required HTTP 1.1 (non-HTTPS):

  • Content-Security-Policy
  • X-Content-Type-Options
  • Cache-Control
  • Set-Cookie

Required HTTP 1.0 (HTTPS):

  • Content-Security-Policy
  • HTTP Strict-Transport-Security
  • X-Content-Type-Options
  • Expires

Required HTTP 1.0 (non-HTTPS):

  • Content-Security-Policy
  • X-Content-Type-Options
  • Expires
  • Set-Cookie

Responses

The following errors downgrade the response from HTTPS to HTTP:

  • 200 responses
  • 30X responses
  • 401 responses

HTTP 1.1 (HTTPS)

Response Description
200

We validate that no hyperlinks in the HTML for the webpage downgrade the user inside the site and the domain of the site.

We also validate and ensure the HTML of the webpage does not import resources (such as scripts and images) from outside the site using HTTP instead of HTTPS.

The finding is graded BAD if these resources are present.
30x (301, 302, 307) Any HTTPS finding that immediately downgrades the user to an HTTP connection using a redirect is graded as BAD.

HTTP 1.0 (HTTPS)

Response Description
200

We validate that no hyperlinks in the HTML for the webpage downgrade the user inside the site and the domain of the site.

We also validate and ensure the HTML of the webpage does not import resources (such as scripts and images) from outside the site using HTTP instead of HTTPS.

The finding is graded BAD if these resources are present.
30x (302, 307) Any HTTPS finding that immediately downgrades the user to an HTTP connection using a redirect is graded as BAD.

⇪ Back to Directory

Finding Grading

Web Application Header findings are evaluated as GOOD, FAIR, WARN, or BAD.

  • Findings with perfect headers are graded as GOOD.
  • Findings with imperfect headers are graded as FAIR.
  • FAIR findings for this risk vector have a negative impact on the rating.

See finding messages.

Related articles