Website Security Test

Content Security Policy (CSP) Not Implemented

INFORMATIONAL

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value of this header is a string containing the policy directives describing your Content Security Policy. To implement CSP, you should define lists of allowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP header could look like the following:Content-Security-Policy: default-src 'self'; script-src 'self' https://code.jquery.com;It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing from the response. It's recommended to implement Content Security Policy (CSP) into your web application.

It's recommended to implement Content Security Policy (CSP) into your web application. Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page.

HTTP Strict Transport Security (HSTS) Policy Not Implemented

LOW

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

It's recommended to implement HTTP Strict Transport Security (HSTS) into your web application. Consult web references for more information

Referrer-Policy Header Not Implemented

INFORMATIONAL

The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. Mozilla The Referer (sic) header contains the address of the previous web page from which a link to the currently requested page was followed, which has lots of fairly innocent uses including analytics, logging, or optimized caching. However, there are more problematic uses such as tracking or stealing information, or even just side effects such as inadvertently leaking sensitive information.

Configure your server to send the Referrer-Policy header for all pages with the value set to strict-origin-when-cross-origin. You can see references for other possible values.

X-Frame-Options Header Not Implemented

LOW

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

Configure your server to send this header for all pages. You can see references for possible values.

X-Content-Type-Options Header Not Implemented

INFORMATIONAL

The X-Content-Type-Options response HTTP header is used by the server to prevent browsers from guessing the media type ( MIME type). This is known as MIME sniffing in which the browser guesses the correct MIME type by looking at the contents of the resource. The absence of this header might cause browsers to transform non-executable content into executable content.

Configure your server to send this header with the value set to nosniff.

X-XSS-Protection Header Not Implemented

INFORMATIONAL

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Chrome has removed their XSS Auditor Firefox has not, and will not implement X-XSS-Protection Edge has retired their XSS filter This means that if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead.

Do not send this header or set 0 as value.

Permissions-Policy header Not Implemented

INFORMATIONAL

The Permissions-Policy header allows developers to selectively enable and disable use of various browser features and APIs.

Configure Permission Policy Header properly

Robots.txt file Found

INFORMATIONAL

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site that robots are allowed, or not allowed, to crawl and index. The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honor the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorized access.

X-Permitted-Cross-Domain-Policies is Not Implemented

INFORMATIONAL

This header is used to limit which data external resources, such as Adobe Flash and PDF documents, can access on the domain. Failure to set the X-Permitted- Cross-Domain-Policies header to “none” value allows other domains to embed the application’s data in their content.

If there is no requirement to load application data within web clients such as Adobe Flash Player or Adobe Acrobat (not limited to these), then the header should be configured as follows. X-Permitted-Cross-Domain-Policies: none

SSL/TLS Not Implemented

MEDIUM

This scan target was connected to over an unencrypted connection. A potential attacker can intercept and modify data sent and received from this site.

The site should send and receive data over a secure (HTTPS) connection.

Misconfigured Access-Control-Allow-Origin Header

MEDIUM

CORS (Cross-Origin Resource Sharing) defines a mechanism to enable client-side cross-origin requests. This application is using CORS in an insecure way. The web application fails to properly validate the Origin header (check Details section for more information) and returns the header Access-Control-Allow-Credentials: true. In this configuration any website can issue requests made with user credentials and read the responses to these requests. Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites

Allow only selected, trusted domains in the Access-Control-Allow-Origin header.

.htacces File Detected

INFORMATIONAL

This directory contains .htaccess file that is readable.This may indicate a server misconfiguration. htaccess files are designed to be parsed by web server and should not be directly accessible . These files could contain sensitive information that could help an attacker to conduct further more attacks.It is recommended to restrict access to these files

Restrict access .htaccess files by adjusting the web server configuration