Third-Party Website Testing: Detection of HTTP Response Header Security Configuration in Web Security Testing

Third-Party Website Testing: Detection of HTTP Response Header Security Configuration in Web Security Testing

Third-Party Website Testing: Detection of HTTP Response Header Security Configuration in Web Security Testing

Security Header Detection

1. Strict-Transport-Security (HSTS)

2. Check max-age value: should be ≥ 15552000 seconds (180 days)

3. Check includeSubDomains directive: ensure it includes subdomains

4. Validate preload directive: must be set to join the preload list

Example: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Third-Party Website Testing: Detection of HTTP Response Header Security Configuration in Web Security Testing

X-Content-Type-Options

Only valid value: nosniff

Prevents browser MIME type sniffing

Example: X-Content-Type-Options: nosniff

X-Frame-Options

Valid values: DENY (completely deny), SAMEORIGIN (allow same origin), ALLOW-FROM uri (specify source)

Defends against clickjacking attacks

Example: X-Frame-Options: SAMEORIGIN

Content-Security-Policy

Check default-src directive: set default loading policy

Validate script-src directive: restrict JavaScript execution sources

Check style-src directive: control CSS loading sources

Example: Content-Security-Policy: default-src ‘self’; script-src ‘self’ https://www.zmtests.com

X-XSS-Protection

Recommended configuration: X-XSS-Protection: 1; mode=block

Enables browser XSS filtering mechanism

Example: X-XSS-Protection: 1; mode=block

Referrer-Policy

Common value: strict-origin-when-cross-origin

Controls Referer header information leakage

Example: Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Check permissions for sensitive features like camera, microphone, geolocation

Example: Permissions-Policy: camera=(), microphone=(), geolocation=(self)

Third-Party Website Testing: Detection of HTTP Response Header Security Configuration in Web Security Testing

Detection Methods and Tools

Manual Detection

Use browser developer tools to check the Network tab:

View any HTTP response header information

Verify the existence and correctness of security headers

Automated Scanning

OWASP ZAP: Automatically identifies missing security headers

Nmap script: http-security-headers.nse detection

Custom script: curl -I https://zmtests.com | grep -i “strict-transport-security”

Key Points of Detection Report

1. List missing security headers

2. Mark incorrectly configured values

3. Provide remediation suggestions and correct examples

4. Assess risk level (high/medium/low)

Third-Party Website Testing: Detection of HTTP Response Header Security Configuration in Web Security Testing

Common Configuration Errors and Issues:

HSTS Configuration Defects

max-age value too low (<180 days)

Missing includeSubDomains directive

HTTPS site not deploying HSTS

CSP Policy Issues

Using unsafe-inline or unsafe-eval

Missing default-src directive

Overly broad resource loading range (*)

Use of Deprecated Headers

Still using X-XSS-Protection (deprecated in modern browsers)

Missing a more secure Content-Security-Policy

Correctly configuring HTTP security headers can effectively defend against over 60% of web attack vectors, with significant improvements in XSS protection, achieving a 100% prevention rate against clickjacking attacks. Security header detection should be included in regular security scanning processes, verifying configuration effectiveness before each deployment.

Third-Party Website Testing: Detection of HTTP Response Header Security Configuration in Web Security Testing

Scan the QR code to follow us

Leave a Comment