Web Application Header Findings Ingrid ⇤ Diligence Findings The Web Application Headers risk vector contains information about the messages, determines how to receive messages, and determines how recipients should respond to a message. Navigation Options SPM App: Findings ➔ Findings Table CM App: Select a company from your Companies List. Go to Vendor Risk ➔ Findings Insurance App: Select a company from your Companies List. Go to Client Risk ➔ Findings Bitsight API: GET /v1/companies/entity_guid/findings?risk_vector=application_security This data is available for download (.csv) via the Download button. It includes columns that are currently configured in the table. The Web Application Headers (WAH) risk vector was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade. Finding Details The details include the data in Findings, Diligence details, and also the following information: ❖ This field can be included in the table from the Customize Columns option. † Including this field contains the following details: Cache-Control, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options. Field Description Assets Asset details. Asset The asset name. Calculated Importance The Bitsight-calculated asset importance. View findings Filter findings by the asset. Cache-Control❖† Indicates if the Cache-Control header is missing. Comments Finding comments for describing the status of resolution or validity of findings to external stakeholders and other interested parties. Content-Security-Policy❖† Indicates if the Content-Security-Policy header is missing. Dates Observation dates. First Seen The date when the finding was first observed. Last Seen The date when the finding was last observed. Destination Port❖ The destination port number identified in the finding. Final Location❖ URL where headers were observed. Finding Identifier The asset (e.g., IP, domain, host, application, port) and its status (e.g. online/offline, version, support status) that identifies the finding. Finding Grade The finding grade. HTTP Headers HTTP header details. Last Seen IP:Port The most recently observed IP:Port pair. Observed IPs❖ The IP address where the certificate was seen, on the most recent day. Optional HTTP Header Fields Optional HTTP header records and issues. Rescan Rescan details. Rescan Status The status of a user-requested rescan of a finding. Rescan Details Clarification on remaining issues, such as if the issue is still present or further developments. Rescan Requested The date when a rescan was requested. Remediations❖ How to resolve a negative finding. See how to verify that a Web Application Header finding has been remediated. Issue The finding name. Details A description of the finding. Remediation Tip Tips for remediating the finding. Required HTTP Header Fields Required HTTP header records and issues. Strict-Transport-Security❖† Indicates whether the Strict-Transport-Security header is missing. URL The URL of the web page. X-Content-Type-Options❖† Indicates if the X-Content-Type-Options header is missing. October 14, 2025: WAH non-graded. October 29, 2024: Findings Table navigation instructions moved from Risks to a new Findings section in the menu. January 19, 2024: Findings Table navigation by application. September 22, 2022: Added Assets (Asset, Calculated Importance, & View findings), Comments, Dates (First Seen & Last Seen), Finding Identifier, Finding Grade, Rescan (Rescan Status, Rescan Details, & Rescan Requested), In Remediations (Issue, Details, & Remediation Tip) fields; “Remediation Instructions” renamed to “Remediations.” Related articles Web Application Headers Risk Vector How is the Web Application Headers Risk Vector Assessed? Web Application Header Finding Messages Remediation Verification: Web Application Headers GET: Web Application Headers Finding Details Feedback 0 comments Please sign in to leave a comment.