Website Security Test

Content Security Policy (CSP) Not Implemented

INFORMATIONAL

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value of this header is a string containing the policy directives describing your Content Security Policy. To implement CSP, you should define lists of allowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP header could look like the following:Content-Security-Policy: default-src 'self'; script-src 'self' https://code.jquery.com;It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing from the response. It's recommended to implement Content Security Policy (CSP) into your web application.

It's recommended to implement Content Security Policy (CSP) into your web application. Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page.

HTTP Strict Transport Security (HSTS) Policy Not Implemented

LOW

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

It's recommended to implement HTTP Strict Transport Security (HSTS) into your web application. Consult web references for more information

Referrer-Policy Header Not Implemented

INFORMATIONAL

The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. Mozilla The Referer (sic) header contains the address of the previous web page from which a link to the currently requested page was followed, which has lots of fairly innocent uses including analytics, logging, or optimized caching. However, there are more problematic uses such as tracking or stealing information, or even just side effects such as inadvertently leaking sensitive information.

Configure your server to send the Referrer-Policy header for all pages with the value set to strict-origin-when-cross-origin. You can see references for other possible values.

X-Frame-Options Header Not Implemented

LOW

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

Configure your server to send this header for all pages. You can see references for possible values.

X-Content-Type-Options Header Not Implemented

INFORMATIONAL

The X-Content-Type-Options response HTTP header is used by the server to prevent browsers from guessing the media type ( MIME type). This is known as MIME sniffing in which the browser guesses the correct MIME type by looking at the contents of the resource. The absence of this header might cause browsers to transform non-executable content into executable content.

Configure your server to send this header with the value set to nosniff.

X-XSS-Protection Header Not Implemented

INFORMATIONAL

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Chrome has removed their XSS Auditor Firefox has not, and will not implement X-XSS-Protection Edge has retired their XSS filter This means that if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead.

Do not send this header or set 0 as value.

Permissions-Policy header Not Implemented

INFORMATIONAL

The Permissions-Policy header allows developers to selectively enable and disable use of various browser features and APIs.

Configure Permission Policy Header properly

X-Permitted-Cross-Domain-Policies is Not Implemented

INFORMATIONAL

This header is used to limit which data external resources, such as Adobe Flash and PDF documents, can access on the domain. Failure to set the X-Permitted- Cross-Domain-Policies header to “none” value allows other domains to embed the application’s data in their content.

If there is no requirement to load application data within web clients such as Adobe Flash Player or Adobe Acrobat (not limited to these), then the header should be configured as follows. X-Permitted-Cross-Domain-Policies: none

Insecure Configuration Management

MEDIUM

Web server and application server configurations play a key role in the security of a web application. These servers are responsible for serving content and invoking applications that generate content. The application discloses information about the technologies used such as the web server, operating system, cryptography tools, or programming languages. An attacker could identify vulnerabilities in these technologies and use them to exploit the server, therefore, potentially exploiting the application.Failure to manage the proper configuration of your servers can lead to a wide variety of security problems.

You can disable the server from disclosing this information to users. This is typically done by editing the configuration files of the various technologies and then restarting the system. Basically this involved Operating System and Web Server Hardening. We recommend starting with any existing guidance you can find from your vendor or those available from the various existing security organizations such as OWASP, CERT, and SANS and then tailoring them for your particular needs

OPTIONS Method Enabled

INFORMATIONAL

AWASAF detected that OPTIONS method is allowed. This issue is reported as extra information. Information disclosed from this page can be used to gain additional information about the target system.

Disable OPTIONS method in all production systems.

HTTP PUT method is enabled

HIGH

The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.

Disable the HTTP PUT method on the server.

Misconfigured Access-Control-Allow-Origin Header

MEDIUM

CORS (Cross-Origin Resource Sharing) defines a mechanism to enable client-side cross-origin requests. This application is using CORS in an insecure way. The web application fails to properly validate the Origin header (check Details section for more information) and returns the header Access-Control-Allow-Credentials: true. In this configuration any website can issue requests made with user credentials and read the responses to these requests. Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites

Allow only selected, trusted domains in the Access-Control-Allow-Origin header.