Insecure HTTP headers

carsten.mueller.lemb · December 8, 2017, 11:57pm

During our security review we figured out that.
Response header is exposing technology used:

server:nginx

Strict transport layer security and other headers are missing:

Strict-Transport-Security:max-age=15552000; includeSubDomains
X-DNS-Prefetch-Control:off
X-XSS-Protection:1; mode=block

jmangelo · December 11, 2017, 8:07pm

The HSTS header should be there although at this time it does not include the sub-domains option. In relation to the other situations you should update the question with the relevant endpoints that you tested and where you observed each behavior.

Topic		Replies	Views
HTTP Strict Transport Security header not present on custom domain Help security-question-concern , security-compliance	3	1744	March 2, 2023
Security Headers on /.well-known/jwks.json Endpoint Knowledge Articles x-frame , security-headers	1	300	March 26, 2024
Flask+React Guide Questions Help security-question-concern , security-compliance	0	147	June 19, 2024
502 Bad Gateway errors due to large response headers from Auth0 Help auth0-php , sdks-quickstarts	1	46	October 7, 2024
Regression: The .well-known/jwks.json file throws 502 Bad Gateway Help auth0	5	3666	February 4, 2021

Insecure HTTP headers

Related Topics