Rules

F043. Improperly set HTTP headers

Description

Some of the server’s response headers are not properly set. They are needed because they make the pages it hosts less susceptible to attacks, such as click-jacking and XSS.

Recommendation

For application servers, the required HTTP headers are the following:

Access-Control-Allow-Origin
Cache-Control
Content-Security-Policy
Expires
Content-Type
Strict-Transport-Security (HSTS)
X-Permitted-Cross-Domain-Policies
Pragma
X-Content-Type-Options
X-Frame-Options
X-XSS-Protection

For API servers, the required HTTP headers are the following:

Content-Type
Accept
Strict-Transport-Security (HSTS)
X-Content-Type-Options
X-Frame-Options

Rules

R062. Define standard configurations
R175. Protect pages from clickjacking

Service status - Terms of Use - Privacy Policy - Cookie Policy