X-Frame-Options header is not included in the HTTP response to protect against ClickJacking attacks.
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it s set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it s part of a FRAMESET) then you ll want to use SAMEO
The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.
Provide a valid integrity attribute to the tag.
At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the noopener and noreferrer keywords in the rel attribute. which allows the target page to take control of this page.
Do not use a target attribute. or if you have to then also add the attribute: rel= noopener noreferrer .
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site
Ensure that your web server. application server. load balancer. etc. is configured to set the Content-Security-Policy header. to achieve optimal browser support: Content-Security-Policy for Chrome 25+. Firefox 23+ and Safari 7+. X-Content-Secur
The page includes one or more script files from a third-party domain.
The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.
Whenever possible ensure the cache-control HTTP header is set with no-cache. no-store. must-revalidate; and that the pragma HTTP header is set with no-cache.
Web Browser XSS Protection is not enabled. or is disabled by the configuration of the X-XSS-Protection HTTP response header on the web server
Ensure that the web browser s XSS filter is enabled. by setting the X-XSS-Protection HTTP response header to 1 .
No Anti-CSRF tokens were found in a HTML submission form.
A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an actio
Phase: Architecture and Design
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example. use anti-CSRF packages such as the OWASP CSRFGuard
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to nosniff . This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body. potentially causing the response body to be interpreted and di
Ensure that the application/web server sets the Content-Type header appropriately. and that it sets the X-Content-Type-Options header to nosniff for all web pages.
If possible. ensure that the end user uses a standards-compliant and modern
The page includes mixed content. that is content accessed via HTTP instead of HTTPS.
A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.
The page must not contain any content that is transmitted over unencrypted HTTP.
This includes content from third party s
The web/application server is leaking information via one or more X-Powered-By HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulner
Ensure that your web server. application server. load balancer. etc. is configured to suppress X-Powered-By headers.
The web/application server is leaking version information via the Server HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.
Ensure that your web server. application server. load balancer. etc. is configured to suppress the Server header or provide generic details.
Feature Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers c
Ensure that your web server. application server. load balancer. etc. is configured to set the Feature-Policy header.
Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don t explicitly grant the document permission (using CORP or CORS).
Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately. and that it sets the Cross-Origin-Embedder-Policy header to require-corp for documents.
If possible. ensure that the end user uses a standar
Ensure that the HttpOnly flag is set for all cookies.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).
Ensure that your web server. application server. load balancer. etc. is configured to enforce Strict-Transport-Security.
A cookie has been set without the secure flag. which means that the cookie can be accessed via unencrypted connections.
Whenever a cookie contains sensitive information or is a session token. then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.
A cookie has been set without the SameSite attribute. which means that the cookie can be sent as a result of a cross-site request. The SameSite attribute is an effective counter measure to cross-site request forgery. cross-site script inclusion.
Ensure that the SameSite attribute is set to either lax or ideally strict for all cookies.
A timestamp was disclosed by the application/web server - Unix
Manually confirm that the timestamp data is not sensitive. and that the data cannot be aggregated to disclose exploitable patterns.
The response contents are storable by caching components such as proxy servers. and may be retrieved directly from the cache. rather than from the origin server by the caching servers. in response to similar requests from other users. If the resp
Validate that the response does not contain sensitive. personal or user-specific information. If it does. consider the use of the following HTTP response headers. to limit. or prevent the content being stored and retrieved from the cache by anoth
http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)
The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.
This is an informational alert and so no changes are required.
Base64 encoded data was disclosed by the application/web server. Note: in the interests of performance not all base64 strings in the response were analyzed individually. the entire response should be looked at by the analyst/security team/develope
Manually confirm that the Base64 data does not leak sensitive information. and that the data cannot be aggregated/used to exploit other vulnerabilities.
The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive. personal or user-specific information. it may benefit from being stored and cached. to improve performance.
The content may be marked as storable by ensuring that the following conditions are satisfied:
The request method must be understood by the cache and defined as being cacheable ( GET . HEAD . and POST are currently defined as cacheable)
http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)