Skip to main content

Headers

Description​

  • Cache-Control:
  • The HTTP 'Cache-Control' header is used to specify directives for caching mechanisms.
  • The server did not return (or returned an invalid) 'Cache-Control' header, which means pages containing sensitive information could be stored client-side and then be exposed to unauthorized persons.
  • Content-Type:

    • The Content-Type header was either missing or empty.
  • X-Content-Type-Options:

    • The Anti-MIME-Sniffing header X-Content-Type-Options was not set to ‘nosniff’.
    • This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
  • Strict-Transport-Security:

    • HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).
    • HSTS is an IETF standard track protocol specified in RFC 6797.
  • CookiesSecure:

    • A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.
  • CookiesHttpOnly:

    • A cookie has been set without the HttpOnly flag, which means that JavaScript code can access the cookie.
    • If a malicious script runs on this page, then the cookie will be accessible and can be transmitted to another hacker-controlled site. If this is a session cookie, then session hijacking may be possible.
  • VersionDisclosure:

    • The web/application server is leaking server version information via one or more HTTP response headers.
    • Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon, and the vulnerabilities of such components may be subject to the leaked information.

Remediation​

  • Cache-Control:

    • Whenever possible, ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate, and that the pragma HTTP header is set with no-cache.
  • Content-Type:

    • Ensure each page sets the specific and appropriate content-type value for the delivered content.
  • X-Content-Type-Options:

    • Ensure that the application/web server sets the Content-Type header appropriately and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
    • If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all or that can be directed by the web application/web server to not perform MIME-sniffing.
  • Strict-Transport-Security:

    • Ensure that your web server, application server, load balancer, etc., are configured to enforce Strict-Transport-Security.
  • CookiesSecure:

    • Whenever a cookie contains sensitive information or is a session token, it should always be passed using an encrypted channel.
    • Ensure that the secure flag is set for cookies containing such sensitive information
  • CookiesHttpOnly:

    • Ensure that the HttpOnly flag is set for all cookies.
  • VersionDisclosure:

    • Remove headers disclosing server-side softwares version.

GraphQL Specific​

Apollo

To mitigate security risks within the Apollo framework engine, ensure that all dependencies are kept up-to-date, implement proper error handling to avoid leaking sensitive information, and configure security features such as CORS and helmet appropriately to protect against common web vulnerabilities. Additionally, use Apollo's built-in support for validation and sanitization to prevent injection attacks.

Yoga

To mitigate security risks within the Yoga framework engine, ensure that all input is properly sanitized and validated. Implement strict type checking and input validation routines to prevent injection attacks. Regularly update the framework to the latest version to patch known vulnerabilities. Additionally, consider using Content Security Policy (CSP) headers to protect against XSS attacks by controlling the resources that the client is allowed to load.

Awsappsync

To mitigate security risks in AWS AppSync, ensure that all GraphQL resolvers are properly configured to handle errors and exceptions. Implement authorization checks using AWS IAM or custom resolver logic to control access to your GraphQL API. Regularly review and update your security policies and IAM roles to adhere to the principle of least privilege. Additionally, enable logging and monitoring with AWS CloudTrail and Amazon CloudWatch to detect and respond to any suspicious activities promptly.

Graphqlgo

To mitigate security risks in a GraphQL Go framework engine, ensure that all user-supplied inputs are validated and sanitized. Implement proper authentication and authorization checks for each GraphQL resolver. Use a well-maintained library to parse and validate incoming GraphQL queries to prevent injection attacks. Regularly update dependencies to incorporate security patches. Additionally, consider employing query complexity analysis to prevent denial-of-service attacks caused by resource-intensive queries.

Graphqlruby

In the GraphQL Ruby framework, ensure that all user-supplied inputs are validated and sanitized to prevent injection attacks. Use the built-in mechanisms for parameterized queries and avoid interpolating variables directly into queries. Additionally, implement proper authorization checks to ensure that users can only access data for which they have permissions.

Hasura

To mitigate the risk of injection attacks in Hasura, ensure that all GraphQL queries are constructed using parameterized arguments rather than string concatenation. This approach prevents attackers from manipulating the query structure. Additionally, apply strict access controls and validate all inputs to limit the exposure of sensitive data and operations.

REST Specific​

Asp_net

To enhance security in an ASP.NET application, ensure the following: Set 'Cache-Control' headers to 'no-store' for responses containing sensitive data to prevent caching on the client side. Add a 'Content-Type' header with the appropriate MIME type for each response. Implement 'X-Content-Type-Options: nosniff' to block MIME-sniffing and force the browser to stick to the declared content-type. Enable HSTS by adding 'Strict-Transport-Security' header to enforce secure connections. Mark cookies as secure by setting the 'Secure' flag, ensuring they are only sent over HTTPS. Use the 'HttpOnly' flag on cookies to prevent access by JavaScript. Remove or obscure server version information from HTTP response headers to prevent version disclosure. Regularly update the ASP.NET framework and dependencies to mitigate known vulnerabilities.

Ruby_on_rails

For Ruby on Rails applications, ensure the following: Set 'Cache-Control' headers appropriately, particularly for sensitive pages, to 'no-store, no-cache' to prevent caching. Use 'response.headers['Content-Type'] = 'application/json; charset=utf-8' or similar to explicitly set the content type. Add 'X-Content-Type-Options' header with a value of 'nosniff' to prevent MIME-sniffing. Implement HSTS by setting 'Strict-Transport-Security' header. Secure cookies by setting the 'secure' flag on all cookies and use 'HttpOnly' to prevent JavaScript access. Avoid disclosing server version information in HTTP headers. Use Rails security features and keep the framework updated.

Next_js

For a Next.js application, ensure the following security headers are properly set: Set 'Cache-Control' headers to define caching policies, preventing sensitive data from being stored on the client side. Use 'Content-Type' headers to specify the correct media type of the resource. Implement 'X-Content-Type-Options' with the value 'nosniff' to prevent MIME-sniffing. Enable 'Strict-Transport-Security' to enforce secure connections via HTTPS. Secure cookies by setting the 'Secure' flag, ensuring they are only sent over HTTPS. Add the 'HttpOnly' flag to cookies to prevent access by JavaScript. Lastly, avoid disclosing server version information in HTTP response headers to reduce information leakage.

Laravel

In Laravel, ensure secure headers are set by using middleware to add and configure the necessary HTTP headers. For 'Cache-Control', set appropriate cache directives. Use the 'Content-Type' header to specify the correct media type. Implement 'X-Content-Type-Options' with the value 'nosniff' to prevent MIME-sniffing. Enable 'Strict-Transport-Security' to enforce HTTPS. Set the 'secure' flag on cookies to restrict them to encrypted connections and use the 'HttpOnly' flag to protect cookies from being accessed by JavaScript. Avoid disclosing server version information in HTTP response headers.

Express_js

For Express.js applications, ensure that security headers are properly set. Use middleware like helmet to set HTTP headers appropriately. Set 'Cache-Control' to 'no-store' for sensitive pages to prevent caching. Add 'Content-Type' with the correct MIME type for responses. Use 'X-Content-Type-Options' with the value 'nosniff' to prevent MIME-sniffing. Implement HSTS by setting 'Strict-Transport-Security' to enforce secure connections. Mark cookies as 'Secure' and 'HttpOnly' to protect them from interception and access by client-side scripts. Avoid disclosing server version information in HTTP headers. Regularly update Express.js and its dependencies to mitigate known vulnerabilities.

Django

For a Django application, ensure the following settings are configured in your settings.py file: Set 'SECURE_BROWSER_XSS_FILTER = True' to enable the X-XSS-Protection header. Use 'SECURE_CONTENT_TYPE_NOSNIFF = True' to set the X-Content-Type-Options header to 'nosniff'. Implement 'SECURE_HSTS_SECONDS = 31536000' and 'SECURE_HSTS_INCLUDE_SUBDOMAINS = True' to enforce HSTS. Configure 'SESSION_COOKIE_SECURE = True' and 'CSRF_COOKIE_SECURE = True' to send cookies over HTTPS only. Use 'SESSION_COOKIE_HTTPONLY = True' to prevent JavaScript access to session cookies. Avoid disclosing server information by customizing the default error pages and suppressing the 'X-Powered-By' header. Regularly update Django to the latest version to mitigate known vulnerabilities and ensure 'DEBUG = False' in production.

Symfony

To enhance security in a Symfony application, set the 'Cache-Control' header to 'no-store' for responses containing sensitive data to prevent caching. Ensure 'Content-Type' is always specified and accurate. Use the 'X-Content-Type-Options' header with the value 'nosniff' to prevent MIME-sniffing. Implement HSTS by setting the 'Strict-Transport-Security' header. Mark cookies as secure by setting the 'secure' flag and prevent JavaScript access by setting the 'HttpOnly' flag. Avoid disclosing server version information by configuring the server not to send the 'Server' header or by using tools like 'web.config' or '.htaccess' to suppress version information.

Spring_boot

For Spring Boot applications, ensure that security headers are properly set. Configure 'Cache-Control' to prevent sensitive data caching, set 'Content-Type' appropriately, use 'X-Content-Type-Options: nosniff' to block MIME-sniffing, enable HSTS with 'Strict-Transport-Security', and set 'Secure' and 'HttpOnly' flags on cookies. Remove server version information from headers to obscure potential attack vectors. Utilize Spring Security for comprehensive security configurations.

Flask

For Flask applications, ensure the following practices: Set 'Cache-Control' headers appropriately, particularly for sensitive pages, to prevent unauthorized access to cached content. Use 'Response.headers' to add or modify headers. Implement 'Content-Type' headers to specify the media type of the resource. Use 'X-Content-Type-Options' with the value 'nosniff' to prevent MIME-sniffing. Enable 'Strict-Transport-Security' to enforce secure connections via HSTS. When setting cookies, use 'secure=True' to ensure they are only sent over HTTPS, and 'httponly=True' to prevent access to cookie values via JavaScript. Avoid disclosing server version information in HTTP response headers. Regularly update Flask and its dependencies to mitigate known vulnerabilities.

Nuxt

For Nuxt.js applications, ensure that your server configuration sets appropriate HTTP headers. Use the 'helmet' package to set security-related headers. Configure 'Cache-Control' to prevent sensitive data caching, set 'Content-Type' appropriately, enforce 'X-Content-Type-Options: nosniff' to disable MIME-sniffing, enable HSTS with 'Strict-Transport-Security', and set 'Secure' and 'HttpOnly' flags on cookies. Avoid disclosing server versions in headers. Regularly update Nuxt.js and dependencies to mitigate known vulnerabilities.

Fastapi

For FastAPI applications, ensure the following security practices: Set 'Cache-Control' headers appropriately for each response, particularly for sensitive data, to prevent improper caching. Use the 'Content-Type' header to specify the correct MIME type for each response. Implement 'X-Content-Type-Options' with the value 'nosniff' to prevent MIME-sniffing. Enforce HTTPS by setting 'Strict-Transport-Security' headers. Secure cookies by setting the 'Secure' flag, ensuring they are only sent over HTTPS. Protect cookies from client-side scripts by setting the 'HttpOnly' flag. Avoid disclosing server version information in HTTP response headers. Regularly update FastAPI and its dependencies to mitigate known vulnerabilities.

Configuration​

Identifier: protocol/headers

Examples​

Ignore this check​

checks:
protocol/headers:
skip: true

Score​

  • Escape Severity: LOW

Compliance​

  • OWASP: API2:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-52
  • fedramp: SC-28

Classification​

Score​

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References​