R349. Include HTTP security headers


The system must attach properly-configured HTTP security headers to its requests and responses.


HTTP security headers can be used to increase the overall security of an application. They are very effective at preventing the exploitation of several common vulnerabilities. For this reason, they should be configured as strictly as possible and included in all server requests and responses.


  1. CAPEC-19: Embedding Scripts within Scripts. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The adversary leverages this capability to execute their own script by embedding it within other scripts that the target software is likely to execute. The adversary must have the ability to inject their script into a script that is likely to be executed.

  2. CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies. This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server.

  3. CAPEC-32: XSS Through HTTP Query Strings. An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim’s browser.

  4. CAPEC-161: Infrastructure Manipulation. An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects.

  5. CAPEC-173: Action Spoofing. An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software.

  6. CWE-116: Improper Encoding or Escaping of Output. The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  7. CWE-173: Improper Handling of Alternate Encoding. The software does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.

  8. CWE-319: Cleartext Transmission of Sensitive Information The software transmits sensitive or security-critical data in clear text in a communication channel that can be sniffed by unauthorized actors.

  9. CWE-352: Cross-Site Request Forgery (CSRF). The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

  10. CWE-451: User Interface (UI) Misrepresentation of Critical Information. The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

  11. CWE-523: Unprotected Transport of Credentials. Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

  12. CWE-525: Use of Web Browser Cache Containing Sensitive Information The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

  13. CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax. The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

  14. CWE-1021: Improper Restriction of Rendered UI Layers or Frames. The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

  15. OWASP Top 10 A1:2017-Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

  16. OWASP Top 10 A3:2017-Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

  17. OWASP Top 10 A6:2017-Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

  18. OWASP Top 10 A7:2017-Cross-Site Scripting (XSS). XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

  19. OWASP-ASVS v4.0.1 V4.2 Operation Level Access Control.(4.2.2) Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality.

  20. OWASP-ASVS v4.0.1 V8.2 Client-side Data Protection.(8.2.1) Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers.

  21. OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.4) Verify that the application protects against reflective file download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename.

  22. OWASP-ASVS v4.0.1 V13.2 RESTful Web Service Verification Requirements.(13.2.3) Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: triple or double submit cookie pattern, CSRF nonces, or ORIGIN request header checks.

  23. OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.1) Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1).

  24. OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.2) Verify that all API responses contain Content-Disposition: attachment; filename="api.json" (or other appropriate filename for the content type).

  25. OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.3) Verify that a content security policy (CSPv2) is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities.

  26. OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.4) Verify that all responses contain X-Content-Type-Options: nosniff.

  27. OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.5) Verify that HTTP Strict Transport Security headers are included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains.

  28. OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.6) Verify that a suitable "Referrer-Policy" header is included, such as "no-referrer" or "same-origin".

  29. OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.7) Verify that a suitable X-Frame-Options or Content-Security-Policy: frame-ancestors header is in use for sites where content should not be embedded in a third-party site.

  30. OWASP-ASVS v4.0.1 V14.5 Validate HTTP Request Header Requirements.(14.5.3) Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header uses a strict white-list of trusted domains to match against and does not support the "null" origin.

  31. PCI DSS v3.2.1 - Requirement 6.5.7 Address common coding vulnerabilities in software-development processes such as cross-site scripting (XSS).

  32. PCI DSS v3.2.1 - Requirement 6.5.9 Address common coding vulnerabilities in software-development processes such as cross-site request forgery (CSRF).

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy