Feature #269: [Security Audit Round 2 ] Security headers are not Implemented (Repeted) - E-Arogya - Redmine

Actions

Copy link

Feature #269

open

Feature #235: [Security Audit Round 2 ]

[Security Audit Round 2 ] Security headers are not Implemented (Repeted)

Added by Kalyan Battula 12 months ago. Updated 11 months ago.

Status:

Ready for Prod

Priority:

Normal

Assignee:

Harish Beechani

Category:

Target version:

Security Audit

Start date:

07/05/2024

Due date:

% Done:

Estimated time:

(Total: 19:00 h)

Deployed In:

Category:

Description

Security headers are not Implemented
observation : Repeated
CWE : CWE-16
Description :
Modern browsers support many HTTP headers that can improve web application
security to protect against clickjacking, cross-site scripting, and other common attacks.
Affected Path(s) :
/(WebServer)
Impact :
Client side attacks like clickjacking, XSS, history hijacking, etc may be possible if
security headers are missing in the response headers.
Evidence/Proof Of Concept :
Step 1: It was observed that Security Headers are not implemented in the Application as
shown below screenshot.

Recommendation :
It is recommended to implement following security headers with the values required for
the application. Sample configuration:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=63072000; includeSubDomains;
preload

Files

clipboard-202405011308-8lab2.png (91.3 KB) clipboard-202405011308-8lab2.png

Kalyan Battula, 01/05/2024 01:07 PM

Subtasks 1 (1 open — 0 closed)