- January 9, 2023: Linked to finding consideration resource.
- October 20, 2021: Ratings Algorithm Update 2021.
- July 12, 2021: Added “There's an HTTPS to HTTP redirect. It is changed to be an HTTPS to HTTPS redirect” scenario.
Web Application Header findings are graded as GOOD, FAIR, WARN, BAD, or NEUTRAL. Remediation may generate a new finding that does not replace the previous finding. Refer to finding considerations to see how Web Application Header findings are generated.
Methodology Overview
| Scenario | Methodology |
|---|---|
| Content-Security-Policy is missing. | For just the headers, any missing Content-Security-Policy is penalized. |
| There's an HTTPS to HTTP redirect. It is changed to be an HTTPS to HTTPS redirect. | HTTPS to HTTPS redirects are graded as NEUTRAL. Since NEUTRAL Web Application Header findings do not impact the risk vector grade, they do not replace the HTTPS to HTTP redirect BAD finding grade. |
| There’s an HTTP request in a redirect chain. |
Once there has been any HTTP request in a redirect chain, the security of the chain is potentially compromised. For example, an attacker can intercept the HTTP request (man-in-the-middle) and then redirect the destination. Even having the final URL requested via HTTPS doesn’t protect against this. |
| A required header is not present. | The company is penalized on missing required headers, as described in the configuration requirements. |
| Optional headers are present. | Optional headers are verified that they are configured correctly and go towards the requirements as a whole for a GOOD or FAIR finding grade, as described in the configuration requirements. |
| Optional headers are not present. | Since optional headers are unnecessary for preventing malicious actions (as described in the configuration requirements), there’s no penalty. |
| Set-Cookie header is not set. | HTTP findings are not graded unless the Set-Cookie header is set. |
| The presence of any HTTP links within an HTTPS page if upgrade-insecure-requests is present. | Any check for the presence of mixed content is skipped; there’s no penalty on the presence of any HTTP links within an HTTPS page if upgrade-insecure-requests is present. |
| An HTTP Strict-Transport-Security (HSTS) header on an HTTP response. | An HTTP Strict-Transport-Security (HSTS) header on an HTTP response is ignored. |
| Redirects to a deep link of a hostname. | Redirects to a deep link of a hostname are graded on the contents of that particular page.
|
| Wildcard DNS | The presence of wildcards in DNS records can have an unnecessary magnification of the number of Web Application Header findings. These repeated findings are handled as a single finding. |
Finding Weights
See the relative weights of Web Application Header findings:
| Type | Weight |
|---|---|
| HTTPS to HTTP Redirect | Heavy |
| WWW-Authenticate (Error #401) | Medium |
| Mixed HTTP & HTTPS Content | Medium |
| HTTP Header | Light |
Finding Grades
GOOD
Findings are graded as GOOD if HTTPS connections are present and Set-Cookie is secure.
BAD
- The presence of any HTTP links or references embedded in an HTTPS website. See content checks.
- Any request for credentials that uses the
WWW-Authenticateheader. - We validate that no hyperlinks in the HTML for the web page downgrade the user inside the site and the domain of the site and ensure the HTML of the webpage does not import resources (such as scripts and images) from outside the site using HTTP instead of HTTPS. The finding is graded BAD if these resources are present.
- Any HTTPS finding that immediately downgrades the user to an HTTP connection using a redirect.
NEUTRAL
NEUTRAL Web Application Header findings do not negatively impact the risk vector grade.
- No headers are graded unless
Set-Cookieis defined. If not defined, the grade defaults to NEUTRAL. - For HTTP connections, no headers are graded unless
Set-Cookieis defined. If not defined, the grade defaults to NEUTRAL. - Redirects to a different hostname with a different IP address are graded as NEUTRAL.
Redirects to a deep link of a hostname are graded on the contents of that particular page.
- Remediated findings are graded as NEUTRAL, which replaces the previous BAD finding. Remediation may generate a new finding that does not replace the previous finding. Refer to finding considerations to see how Web Application Header findings are generated.