Multiple HTTP headers of the same name have been detected. RFC 7230 states a server must not generate multiple header fields with the same field name unless either the entire field value for that header field is defined as a comma-separated list, or the header field is a well-known exception. Strings split across multiple header instances may have unpredictable results, since other elements such as command and whitespace may be inserted during recombination outside the control of the originating serializer.

HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS.

The HSTS policy can be defined with the following settings :

 - max-age: the time, in seconds, that the browser should remember that a site is only to be accessed in HTTPS.

 - includeSubDomains (optional) : if this attribute is specified, the policy applies to all current site subdomains.

 - preload (optional) : Google maintains a compiled list of domains which is directly distributed in some browsers to enforce HTTPS without checking for the HSTS HTTP header. As the domain submission process is public, the preload attribute is used as a validation when a domain is submitted for preloading.

The scanner detected a HSTS policy on the target application.

Cross Origin Resource Sharing (CORS) is an HTML5 technology which gives modern web browsers the ability to bypass restrictions implemented by the Same Origin Policy.

The Same Origin Policy requires that both the JavaScript and the page are loaded from the same domain in order to allow JavaScript to interact with the page. This in turn prevents malicious JavaScript being executed when loaded from external domains.

The CORS policy allows the application to specify exceptions to the protections implemented by the browser, and enables the developer to specify allowlisted for which external JavaScript is permitted to execute and interact with the page.

An insecure CORS configuration allows any website to trigger requests with user credentials to the target application and read the responses, thus enabling attackers to perform privilegied actions or to retrieve potential sensitive information.

HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS.

The detected HSTS policy doesn't have long max-age value which is a representation (in milliseconds) determining the time in which the client's browser will adhere to the header policy or it doesn't cover subdomains via includeSubDomains directive.

The Content-Type header allows clients to find an appropriate way to render data, omission of this header can facilitate MIME sniffing attacks.

The HTTP headers sent by the remote web server disclose information that can aid an attacker, such as the server version and technologies used by the web server.

The Expect-CT header allows sites to opt in to reporting and or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. This URL is flagged as a specific example.

The Expect-CT will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.

Referrer Policy provides mechanisms to websites to restrict referrer information (sent in the referer header) that browsers will be allowed to add.

No Referrer Policy header or metatag configuration has been detected.

Permissions Policy provides mechanisms to websites to restrict the use of browser features in its own frame and in iframes that it embeds.

Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.

CSP has been detected but is configured into to report only mode.

Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.

One or several permissive directives have been detected. See output for more details.

The HTTP 'Cache-Control' header is used to specify directives for caching mechanisms.

The server did not return or returned an invalid 'Cache-Control' header which means page containing sensitive information (password, credit card, personal data, social security number, etc) could be stored on client side disk and then be exposed to unauthorised persons. This URL is flagged as a specific example.

Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.

X-Content-Security-Policy and X-Webkit-CSP HTTP headers are deprecated to implement CSP.

Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.

No CSP header has been detected on this host. This URL is flagged as a specific example.

The HTTP 'X-Content-Type-Options' response header prevents the browser from MIME-sniffing a response away from the declared content-type.

The server did not return a correct 'X-Content-Type-Options' header, which means that this website could be at risk of a Cross-Site Scripting (XSS) attack.

The HTTP 'X-XSS-Protection' response header is a feature of modern browsers that allows websites to control their XSS auditors.

The server did not return a correct 'X-XSS-Protection' header, which means that this website could be at risk of a Cross-Site Scripting (XSS) attack.

If legacy browsers support is not needed, it is recommended to use Content-Security-Policy without allowing unsafe-inline scripts instead.

The HTTP 'X-XSS-Protection' response header is a feature of modern browsers that allows websites to control their XSS auditors.

The server is not configured to return a 'X-XSS-Protection' header which means that any pages on this website could be at risk of a Cross-Site Scripting (XSS) attack. This URL is flagged as a specific example.

If legacy browsers support is not needed, it is recommended to use Content-Security-Policy without allowing unsafe-inline scripts instead.

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an `X-Frame-Options` header which means that this website could be at risk of a clickjacking attack.

The `X-Frame-Options` HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Cross Origin Resource Sharing (CORS) is an HTML5 technology which gives modern web browsers the ability to bypass restrictions implemented by the Same Origin Policy.

The Same Origin Policy requires that both the JavaScript and the page are loaded from the same domain in order to allow JavaScript to interact with the page. This in turn prevents malicious JavaScript being executed when loaded from external domains.

The CORS policy allows the application to specify exceptions to the protections implemented by the browser, and enables the developer to specify allowlisted domains for which external JavaScript is permitted to execute and interact with the page.

The 'Access-Control-Allow-Origin' header is insecure when set to '*' or null, as it allows any domain to perform cross-domain requests and read responses. An attacker could abuse this configuration to retrieve private content from an application which does not use standard authentication mechanisms (for example, an Intranet allowing access from the internal network only).

The HTTP protocol by itself is clear text, meaning that any data that is transmitted via HTTP can be captured and the contents viewed. To keep data private and prevent it from being intercepted, HTTP is often tunnelled through either Secure Sockets Layer (SSL) or Transport Layer Security (TLS). When either of these encryption standards are used, it is referred to as HTTPS.

HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. This will be enforced by the browser even if the user requests a HTTP resource on the same server.

Cyber-criminals will often attempt to compromise sensitive information passed from the client to the server using HTTP. This can be conducted via various Man-in-The-Middle (MiTM) attacks or through network packet captures.

Scanner discovered that the affected application is using HTTPS however does not use the HSTS header.

ID	Name	Severity
113333	Duplicate HTTP Headers Detected	info
112535	HTTP Strict Transport Security Policy Detected	info
98983	Insecure Cross-Origin Resource Sharing Configuration	medium
98715	Permissive HTTP Strict Transport Security Policy Detected	medium
98648	Missing 'Content-Type' Header	low
98618	HTTP Header Information Disclosure	low
98612	Missing 'Expect-CT' Header (deprecated)	info
98527	Missing Referrer Policy	info
98526	Missing Permissions Policy	info
112555	Report Only Content Security Policy Detected	info
112554	Permissive Content Security Policy Detected	low
112553	Missing 'Cache-Control' Header	low
112552	Deprecated Content Security Policy	low
112551	Missing Content Security Policy	low
112529	Missing 'X-Content-Type-Options' Header	low
112527	Disabled 'X-XSS-Protection' Header	info
112526	Missing 'X-XSS-Protection' Header	info
98060	Missing 'X-Frame-Options' Header	low
98057	Insecure 'Access-Control-Allow-Origin' Header	low
98056	Missing HTTP Strict Transport Security Policy	medium

Detections

Analytics

HTTP Security Header Family for Web App Scanning

info

info

medium

medium

low

low

info

info

info

info

low

low

low

low

low

info

info

low

low

medium