۱ DevSecOpsGuides.

com

No Name Description Policies Attacks

nosniff -> Blocks a request if

1 MIME sniffing attacks Misconfigure
the request destination is of
X-Content-Type-Options
prevention type style and the MIME type is
RFD
not text/css, or of type script

0 -> Allow

1 -> Enables XSS filtering Misconfigure

Detect reflected
2 mode=block -> browser will prevent rendering of

X-XSS-Protection the page if an attack is detected. CORS

cross-site scripting report=<reporting-URI> -> sanitize the page and

report the violation

Deception

Browser should be DENY -> deny displayed in a frame

3 SAMEORIGIN -> displayed if all Misconfigure

X-Frame-Options
allowed to render a page
Virtual Patching Heatmap

ancestor frames are same origin to

Clickjacking
the page itself

Attacks Heatmap
default-src -> come from the site's own
Misconfigure
Control what origin
4
Content-Security-Policy media-src -> media to trusted providers
XSS
resources script-src -> specific server that hosts

trusted code
Clickjacking

informs browsers that max-age -> The time, in seconds, that the
Misconfigure
browser should remember that a site is only to be
5 Strict-Transport-Security MITM
the site should only be accessed using HTTPS.

includeSubDomains -> rule applies to all of the

SSL/TLS Stripping attacks

accessed using HTTPS site's subdomains as well Cookie hijacking attacks

Misconfigure
no-referrer -> not include any
CSRF
sent requests do not referrer information
6 Privacy attacks
Referrer-Policy include any referrer no-referrer-when-downgrade ->

Don't send the Referer header for Information

information requests to less secure destinations disclosure attacks
(HTTPS→HTTP, HTTPS→file)
 ۱ DevSecOpsGuides.com

No Name Description Policies Attacks

no-cache -> response must be validated

7
control caching in with the origin server before each reuse Misconfigure
Cache-Control no-store -> response directive indicates
browsers and shared Cache Inspection
that any caches of any kind (private or

caches shared) should not store this response. Cache Deception

response header is a header

inline Misconfigure

8 indicating if the content is XSS

attachment
Content-Disposition
expected to be displayed clickjacking
filename="filename.jpg"
inline in the browser RFD

same-site -> Only requests from the

protection against same Site can read the resource. Misconfigure

9 same-origin -> requests from the same
Cross-Origin-Resource-Policy XSS
certain requests from origin (i.e. scheme + host + port)
Virtual Patching Heatmap

cross-origin -> any origin (both same- clickjacking

other origins

Attacks Heatmap
site and cross-site) can read the resource

Misconfigure
X-Rate-Limit: Control Limit of
Http Header Injection
10
X-* Extra HTTP Header request
Cache Deception
X-Origin -> Origin of requests
Ratelimit Bypass
X-Forwarded-IP -> Change Real IP

lists any encodings that gzip

DDoS
have been applied to the compress
11 Content-Encoding
Network
representation (message deflate
eavesdropping
payload), and in what order br

Misconfigure
whether the response can
* XSS

Access-Control-Allow-Origin be shared with requesting Host Header

12
<origin>
code from the given origin Injection
null
Cache Poisoning

Misconfigure
specifies one or more POST, GET, OPTIONS
13 Access-Control-Allow-Methods
CSRF
methods allowed *
XSS