Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.

The 'report-to' directive allows websites to specify a reporting endpoint where browsers can send CSP violation reports. This helps administrators monitor policy violations and fine-tune their security policies.

While a Content Security Policy has been detected on this host, it is missing the 'report-to' directive, which means potential violations won't be reported automatically. This reduces visibility into security events that could help identify and remediate issues.

Content Security Policy (CSP) is a web security standard that helps prevent attacks like XSS, clickjacking and mixed content by restricting which resources browsers can load.

Several high-risk sources have been detected in the CSP that could allow bypassing these protections through permissive domains or public CDNs. These permissive sources could be exploited by attackers to inject malicious content despite CSP restrictions.

The Content-Type header allows clients to find an appropriate way to render data, omission of the charset can lead to various behaviour like a Cross-Site Scripting abusing the browser's auto-detection mechanism.

Multiple HTTP headers of the same name have been detected. RFC 7230 states a server must not generate multiple header fields with the same field name unless either the entire field value for that header field is defined as a comma-separated list, or the header field is a well-known exception. Strings split across multiple header instances may have unpredictable results, since other elements such as command and whitespace may be inserted during recombination outside the control of the originating serializer.

HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS.

The HSTS policy can be defined with the following settings :

 - max-age: the time, in seconds, that the browser should remember that a site is only to be accessed in HTTPS.

 - includeSubDomains (optional) : if this attribute is specified, the policy applies to all current site subdomains.

 - preload (optional) : Google maintains a compiled list of domains which is directly distributed in some browsers to enforce HTTPS without checking for the HSTS HTTP header. As the domain submission process is public, the preload attribute is used as a validation when a domain is submitted for preloading.

The scanner detected a HSTS policy on the target application.

Cross Origin Resource Sharing (CORS) is an HTML5 technology which gives modern web browsers the ability to bypass restrictions implemented by the Same Origin Policy.

The Same Origin Policy requires that both the JavaScript and the page are loaded from the same domain in order to allow JavaScript to interact with the page. This in turn prevents malicious JavaScript being executed when loaded from external domains.

The CORS policy allows the application to specify exceptions to the protections implemented by the browser, and enables the developer to specify allowlisted for which external JavaScript is permitted to execute and interact with the page.

An insecure CORS configuration allows any website to trigger requests with user credentials to the target application and read the responses, thus enabling attackers to perform privilegied actions or to retrieve potential sensitive information.

HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS.

The detected HSTS policy doesn't have long max-age value which is a representation (in milliseconds) determining the time in which the client's browser will adhere to the header policy or it doesn't cover subdomains via includeSubDomains directive.

The Content-Type header allows clients to find an appropriate way to render data, omission of this header can facilitate MIME sniffing attacks.

The HTTP headers sent by the remote web server disclose information that can aid an attacker, such as the server version and technologies used by the web server.

Referrer Policy provides mechanisms to websites to restrict referrer information (sent in the referer header) that browsers will be allowed to add.

No Referrer Policy header or metatag configuration has been detected.

Permissions Policy provides mechanisms to websites to restrict the use of browser features in its own frame and in iframes that it embeds.

Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.

CSP has been detected but is configured into to report only mode.

Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.

One or several permissive directives have been detected. See output for more details.

The HTTP 'Cache-Control' header is used to specify directives for caching mechanisms.

The server did not return or returned an invalid 'Cache-Control' header which means page containing sensitive information (password, credit card, personal data, social security number, etc) could be stored on client side disk and then be exposed to unauthorised persons. This URL is flagged as a specific example.

Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.

X-Content-Security-Policy and X-Webkit-CSP HTTP headers are deprecated to implement CSP.

Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.

No CSP header has been detected on this host. This URL is flagged as a specific example.

SameSite is an attribute which can be set on a cookie to instruct the web browser if this cookie can be sent along with cross-site requests to help prevent Cross-Site Request Forgery (CSRF) attacks.

The attribute has three possible values :

 - Strict : the cookie will only be sent in a first-party context, thus preventing cross-site requests initiated from third-party websites to include it.

 - Lax : the cookie is allowed to be sent in GET cross-site requests initiated by the top-level navigation from third-party websites. For example, following an hypertext link from the external website will make the request include the cookie.

 - None : the cookie is explicitly set to be sent by the browser in any context.

The scanner identified the lack of SameSite attribute on cookies set by the application or a misconfiguration.

The HTTP 'X-Content-Type-Options' response header prevents the browser from MIME-sniffing a response away from the declared content-type.

The server did not return a correct 'X-Content-Type-Options' header, which means that this website could be at risk of a Cross-Site Scripting (XSS) attack.

When the `secure` flag is set on a cookie, the browser will prevent it from being sent over a clear text channel (HTTP) and only allow it to be sent when an encrypted channel is used (HTTPS).

The scanner discovered that a cookie was set by the server without the secure flag being set. Although the initial setting of this cookie was via an HTTPS connection, any HTTP link to the same server will result in the cookie being sent in clear text.

Note that if the cookie does not contain sensitive information, the risk of this vulnerability is mitigated.

The HttpOnly flag assists in the prevention of client side-scripts (such as JavaScript) from accessing and using the cookie.

This can help prevent XSS attacks from targeting the cookies holding the client's session token (setting the HttpOnly flag does not prevent, nor safeguard against XSS vulnerabilities themselves).

HTTP by itself is a stateless protocol. Therefore the server is unable to determine which requests are performed by which client, and which clients are authenticated or unauthenticated.

The use of HTTP cookies within the headers, allows a web server to identify each individual client and can therefore determine which clients hold valid authentication, from those that do not. These are known as session cookies.

When a cookie is set by the server (sent the header of an HTTP response) there are several flags that can be set to configure the properties of the cookie and how it is to be handled by the browser.

One of these flags represents the host, or domain. for which the cookie can be used.

When the cookie is set for the parent domain, rather than the host, this could indicate that the same cookie could be used to access other hosts within that domain. While there are many legitimate reasons for this, it could also be misconfiguration expanding the possible surface of attacks.

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an `X-Frame-Options` header which means that this website could be at risk of a clickjacking attack.

The `X-Frame-Options` HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Cross Origin Resource Sharing (CORS) is an HTML5 technology which gives modern web browsers the ability to bypass restrictions implemented by the Same Origin Policy.

The Same Origin Policy requires that both the JavaScript and the page are loaded from the same domain in order to allow JavaScript to interact with the page. This in turn prevents malicious JavaScript being executed when loaded from external domains.

The CORS policy allows the application to specify exceptions to the protections implemented by the browser, and enables the developer to specify allowlisted domains for which external JavaScript is permitted to execute and interact with the page.

The 'Access-Control-Allow-Origin' header is insecure when set to '*' or null, as it allows any domain to perform cross-domain requests and read responses. An attacker could abuse this configuration to retrieve private content from an application which does not use standard authentication mechanisms (for example, an Intranet allowing access from the internal network only).

The HTTP protocol by itself is clear text, meaning that any data that is transmitted via HTTP can be captured and the contents viewed. To keep data private and prevent it from being intercepted, HTTP is often tunnelled through either Secure Sockets Layer (SSL) or Transport Layer Security (TLS). When either of these encryption standards are used, it is referred to as HTTPS.

HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. This will be enforced by the browser even if the user requests a HTTP resource on the same server.

Cyber-criminals will often attempt to compromise sensitive information passed from the client to the server using HTTP. This can be conducted via various Man-in-The-Middle (MiTM) attacks or through network packet captures.

Scanner discovered that the affected application is using HTTPS however does not use the HSTS header.

ID	Name	Severity
114796	Content Security Policy Missing 'Report-To'	low
114564	Content Security Policy Permissive Sources	info
114382	Missing 'Content-Type' Charset	low
113333	Duplicate HTTP Headers Detected	info
112535	HTTP Strict Transport Security Policy Detected	info
98983	Insecure Cross-Origin Resource Sharing Configuration	medium
98715	Permissive HTTP Strict Transport Security Policy Detected	low
98648	Missing 'Content-Type' Header	low
98618	HTTP Header Information Disclosure	low
98527	Missing Referrer Policy	info
98526	Missing Permissions Policy	info
112555	Report Only Content Security Policy Detected	info
112554	Permissive Content Security Policy Detected	low
112553	Missing 'Cache-Control' Header	low
112552	Deprecated Content Security Policy	low
112551	Missing Content Security Policy	low
115540	Cookie Without SameSite Flag Detected	low
112529	Missing 'X-Content-Type-Options' Header	low
98064	Cookie Without Secure Flag Detected	low
98063	Cookie Without HttpOnly Flag Detected	low
98062	Cookie Set For Parent Domain	info
98060	Missing 'X-Frame-Options' Header	low
98057	Insecure 'Access-Control-Allow-Origin' Header	low
98056	Missing HTTP Strict Transport Security Policy	medium

Detections

Analytics

HTTP Security Header Family for Web App Scanning

low

info

low

info

info

medium

low

low

low

info

info

info

low

low

low

low

low

low

low

low

info

low

low

medium