The Web Application Headers risk vector contains information about the messages, determines how to receive messages, and determines how recipients should respond to a message.
Navigation Options
SPM App: Findings ➔ Findings Table
- Select a company from your Companies List.
- Go to
Vendor Risk ➔ Findings
- Select a company from your Companies List.
- Go to
Client Risk ➔ Findings
This data is available for download (.csv) via the Download button. It includes columns that are currently configured in the table.
The Web Application Headers (WAH) risk vector was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.
Finding Details
The details include the data in Findings, Diligence details, and also the following information:
❖ This field can be included in the table from the Customize Columns option.
† Including this field contains the following details: Cache-Control, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options.
| Field | Description | |
|---|---|---|
| Assets | Asset details. | |
| Asset | The asset name. | |
| Calculated Importance | The Bitsight-calculated asset importance. | |
| View findings | Filter findings by the asset. | |
| Cache-Control❖† | Indicates if the Cache-Control header is missing. | |
| Comments | Finding comments for describing the status of resolution or validity of findings to external stakeholders and other interested parties. | |
| Content-Security-Policy❖† | Indicates if the Content-Security-Policy header is missing. | |
| Dates | Observation dates. | |
| First Seen | The date when the finding was first observed. | |
| Last Seen | The date when the finding was last observed. | |
| Destination Port❖ | The destination port number identified in the finding. | |
| Final Location❖ | URL where headers were observed. | |
| Finding Identifier | The asset (e.g., IP, domain, host, application, port) and its status (e.g. online/offline, version, support status) that identifies the finding. | |
| Finding Grade | The finding grade. | |
| HTTP Headers | HTTP header details. | |
| Last Seen IP:Port | The most recently observed IP:Port pair. | |
| Observed IPs❖ | The IP address where the certificate was seen, on the most recent day. | |
| Optional HTTP Header Fields | Optional HTTP header records and issues. | |
| Rescan | Rescan details. | |
| Rescan Status | The status of a user-requested rescan of a finding. | |
| Rescan Details | Clarification on remaining issues, such as if the issue is still present or further developments. | |
| Rescan Requested | The date when a rescan was requested. | |
| Remediations❖ | How to resolve a negative finding. See how to verify that a Web Application Header finding has been remediated. | |
| Issue | The finding name. | |
| Details | A description of the finding. | |
| Remediation Tip | Tips for remediating the finding. | |
| Required HTTP Header Fields | Required HTTP header records and issues. | |
| Strict-Transport-Security❖† | Indicates whether the Strict-Transport-Security header is missing. | |
| URL | The URL of the web page. | |
| X-Content-Type-Options❖† | Indicates if the X-Content-Type-Options header is missing. | |
- October 14, 2025: WAH non-graded.
- October 29, 2024: Findings Table navigation instructions moved from Risks to a new Findings section in the menu.
- January 19, 2024: Findings Table navigation by application.
- September 22, 2022: Added Assets (Asset, Calculated Importance, & View findings), Comments, Dates (First Seen & Last Seen), Finding Identifier, Finding Grade, Rescan (Rescan Status, Rescan Details, & Rescan Requested), In Remediations (Issue, Details, & Remediation Tip) fields; “Remediation Instructions” renamed to “Remediations.”
Feedback
0 comments
Please sign in to leave a comment.