Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

How to Evaluate a Host for Web Application Headers Inclusion

Avatar
Ingrid
Follow
  • November 30, 2021: Added shortcuts to sections.
  • October 18, 2018: Published.

Review the criteria for Web Application Header findings.

Instructions

To determine if a finding is created, use the following procedure to run a curl -IL command on a host:

  1. Use your browser’s developer tool to copy the cURL command to your clipboard. Refer to the following instructions for your browser:
  2. Go to the “Network” tab of the developer tool.
  3. Right-click “www.bitsighttech.com” and then select CopyCopy as cURL.
  4. Paste this into your Terminal and include “-v” at the end of your query.
  5. Run the cURL command.

Example Response

Refer to the following response, located before the encrypted data.

HTTP/1.1 301 Moved Permanently
Location: https://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Tue, 28 Aug 2018 17:17:40 GMT
Expires: Thu, 27 Sep 2018 17:17:40 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 220
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
 
HTTP/1.1 200 OK
Date: Tue, 28 Aug 2018 17:17:40 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: 1P_JAR=2018-08-28-17; expires=Thu, 27-Sep-2018 17:17:40 GMT; path=/; domain=.google.com
Set-Cookie: NID=137=CQFYBttoqB9c2BYrozSME9mnGMSygLp6PKHEj2mj5vXWAEfWgdb5AsiPDumeyvo6sX5OBTULQOdT9drlusQQu-6KhGfqrGHgRfSbUpkRwCjxXkltT8Varb4m_rM9Nyba; expires=Wed, 27-Feb-2019 17:17:40 GMT; path=/; domain=.google.com; HttpOnly
Transfer-Encoding: chunked
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
Accept-Ranges: none
Vary: Accept-Encoding

Additional Help

If a finding is missing:

  • Verify the host against the criteria for Web Application Header findings.
  • Ensure your block lists are not preventing lawful, periodic internet scanners from visiting your web properties.
  • Check your firewall settings and ensure friendly scanners are able to connect.

If a header is missing:

  • Ensure the domain is in your company’s infrastructure.
  • If the port has been closed, but 60 days hasn’t elapsed for the finding to fall off your rating, select the Refresh button to update the port.

If findings are not updating from your changes:

  • Please allow 2-3 days for Web Application Header findings to update.
  • If the changes do not meet the criteria, no findings were created.

Contact Bitsight Support for additional help.

Related articles