Skip to content
This repository has been archived by the owner on Nov 19, 2024. It is now read-only.

[Security] Missing HTTP security headers #122

Closed
ChaituVR opened this issue Sep 22, 2020 · 0 comments
Closed

[Security] Missing HTTP security headers #122

ChaituVR opened this issue Sep 22, 2020 · 0 comments

Comments

@ChaituVR
Copy link

For #118

HTTP Security Header Header Role Status
X-Frame-Options Protects against Clickjacking attacks Not set
X-XSS-Protection Mitigates Cross-Site Scripting (XSS) attacks Not set
X-Content-Type-Options Prevents possible phishing or XSS attacks Not set

Risk description:
Because the X-Frame-Options header is not sent by the server, an attacker could embed this website into an iframe of a third party website. By manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the application, thus performing activities without user's consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking attack and it is described in detail here:
https://owasp.org/www-community/attacks/Clickjacking

The X-XSS-Protection HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS) attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.

The HTTP X-Content-Type-Options header is addressed to Internet Explorer browser and prevents it from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as Cross-Site Scripting or phishing.

Recommendation:
We recommend you to add the X-Frame-Options HTTP response header to every page that you want to be protected against Clickjacking attacks.
More information about this issue:
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html

We recommend setting the X-XSS-Protection header to "X-XSS-Protection: 1; mode=block".
More information about this issue:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

We recommend setting the X-Content-Type-Options header to "X-Content-Type-Options: nosniff".
More information about this issue:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Source:
https://pentest-tools.com/website-vulnerability-scanning/website-scanner#
@ChaituVR ChaituVR closed this as completed Oct 1, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ChaituVR