Third-Party Website Testing: Detection of HTTP Response Header Security Configuration in Web Security Testing

Security Header Detection
1. Strict-Transport-Security (HSTS)
2. Check max-age value: should be ≥ 15552000 seconds (180 days)
3. Check includeSubDomains directive: ensure it includes subdomains
4. Validate preload directive: must be set to join the preload list
Example: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

X-Content-Type-Options
Only valid value: nosniff
Prevents browser MIME type sniffing
Example: X-Content-Type-Options: nosniff
X-Frame-Options
Valid values: DENY (completely deny), SAMEORIGIN (allow same origin), ALLOW-FROM uri (specify source)
Defends against clickjacking attacks
Example: X-Frame-Options: SAMEORIGIN
Content-Security-Policy
Check default-src directive: set default loading policy
Validate script-src directive: restrict JavaScript execution sources
Check style-src directive: control CSS loading sources
Example: Content-Security-Policy: default-src ‘self’; script-src ‘self’ https://www.zmtests.com
X-XSS-Protection
Recommended configuration: X-XSS-Protection: 1; mode=block
Enables browser XSS filtering mechanism
Example: X-XSS-Protection: 1; mode=block
Referrer-Policy
Common value: strict-origin-when-cross-origin
Controls Referer header information leakage
Example: Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy
Check permissions for sensitive features like camera, microphone, geolocation
Example: Permissions-Policy: camera=(), microphone=(), geolocation=(self)

Detection Methods and Tools
Manual Detection
Use browser developer tools to check the Network tab:
View any HTTP response header information
Verify the existence and correctness of security headers
Automated Scanning
OWASP ZAP: Automatically identifies missing security headers
Nmap script: http-security-headers.nse detection
Custom script: curl -I https://zmtests.com | grep -i “strict-transport-security”
Key Points of Detection Report
1. List missing security headers
2. Mark incorrectly configured values
3. Provide remediation suggestions and correct examples
4. Assess risk level (high/medium/low)

Common Configuration Errors and Issues:
HSTS Configuration Defects
max-age value too low (<180 days)
Missing includeSubDomains directive
HTTPS site not deploying HSTS
CSP Policy Issues
Using unsafe-inline or unsafe-eval
Missing default-src directive
Overly broad resource loading range (*)
Use of Deprecated Headers
Still using X-XSS-Protection (deprecated in modern browsers)
Missing a more secure Content-Security-Policy
Correctly configuring HTTP security headers can effectively defend against over 60% of web attack vectors, with significant improvements in XSS protection, achieving a 100% prevention rate against clickjacking attacks. Security header detection should be included in regular security scanning processes, verifying configuration effectiveness before each deployment.

Scan the QR code to follow us