Project

General

Profile

Actions
Copy link

Feature #269

open

Feature #235: [Security Audit Round 2 ]

[Security Audit Round 2 ] Security headers are not Implemented (Repeted)

Added by Kalyan Battula 12 months ago. Updated 11 months ago.

Status:
Ready for Prod
Priority:
Normal
Assignee:
Harish Beechani
Category:
-
Target version:
Security Audit
Start date:
07/05/2024
Due date:
% Done:

0%

Estimated time:
(Total: 19:00 h)
Deployed In:
Category:

Description

Security headers are not Implemented
observation : Repeated
CWE : CWE-16
Description :
Modern browsers support many HTTP headers that can improve web application
security to protect against clickjacking, cross-site scripting, and other common attacks.
Affected Path(s) :
/(WebServer)
Impact :
Client side attacks like clickjacking, XSS, history hijacking, etc may be possible if
security headers are missing in the response headers.
Evidence/Proof Of Concept :
Step 1: It was observed that Security Headers are not implemented in the Application as
shown below screenshot.

Recommendation :
It is recommended to implement following security headers with the values required for
the application. Sample configuration:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=63072000; includeSubDomains;
preload

Files

clipboard-202405011308-8lab2.png (91.3 KB) clipboard-202405011308-8lab2.png Kalyan Battula, 01/05/2024 01:07 PM

Subtasks 1 (1 open0 closed)

Feature #379: [Security Audit Round 2 ] Security headers are not Implemented login screenResolvedUma Maheswarachari Melpati07/05/2024

Actions
Actions
Copy link

Also available in: Atom PDF