Description

Some of the server's response headers are not properly set. They are needed because they make the pages it hosts less susceptible to attacks, such as click-jacking and XSS.

Recommendation

For application servers, the required HTTP headers are the following:

• Access-Control-Allow-Origin

• Cache-Control

• Content-Security-Policy

• Expires

• Content-Type

• Strict-Transport-Security (HSTS)

• X-Permitted-Cross-Domain-Policies

• Pragma

• X-Content-Type-Options

• X-Frame-Options

For API servers, the required HTTP headers are the following:

• Content-Type

• Accept

• Strict-Transport-Security (HSTS)

• X-Content-Type-Options

Requirements

• 062. Define standard configurations

• 175. Protect pages from clickjacking