Supported endpoint configuration

Security Headers

Security Headers describes HTTP response headers that can be used to increase the security of your application. In other words, these headers instruct the web browser to activate a set of security precautions that protect your site against attacks.

Supported Headers

Strict-Transport-Security

Strict Transport Security is a web security policy mechanism which helps safeguard websites against protocol downgrade attacks and cookie hijacking. This policy allows web servers to interact using secure HTTPS connections and never via insecure HTTP protocol.

X-Frame-Options

X-Frame-Options response header improve the protection of web applications against Clickjacking. This disables the iframes present on the site and does not allow others embed your content.

X-XSS-Protection

X-XSS-Protection allows developers to change the behaviour of the Cross-Site Scripting security filters. These filters identify unsafe HTML input and either block the site from loading or remove potentially malicious scripts.

X-Content-Type-Options

This header is typically used to control the MIME type sniffing function in web browsers. If the Content-Type header is blank or missing, the browser identifies the content and attempts to display the source in an appropriate way.

Content-Security-Policy

This header provides an extra layer of security against multiple vulnerabilities such as XSS, Clickjacking, Protocol Downgrading and Frame Injection. If enabled, this has significant impact on the way browsers render pages.

X-Permitted-Cross-Domain-Policies

A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.

Referrer-Policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Referrer header, should be included with requests made. In other words, this security header can be included on communication from website’s server to a client.

Feature-Policy

The Feature-Policy header provides a mechanism to allow and deny the use of browser features and APIs in its own frame.

Access-Control-Allow-Origin

The Access-Control-Allow-Origin header is included in the response from one website to a request originating from another website, and also identifies the permitted origin of the request.

Expect-CT

This is a response-type header that prevents the use of wrongly issued certificates for a site and ensures they do not get unnoticed.

Public-Key-Pins

This response header is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.

How the headers affect the server rating?

For example, Strict-Transport-Security header is rated. The explanation follows:

Validation Server rating
max-age < 10368000 (120 days) At risk
max-age >= 10368000 and max-age < 31536000 Secure
max-age >= 31536000 (1 year) Very Secure

The Strict-Transport-Security is rated only if the request succeeds (HTTP 200 OK).

HTTP response headers

HTTP response headers have information including the date, size and type of file that the web server is sending back to the browser upon receiving an HTTP request.

All the headers received in HTTP response are available for analysis.

Cipher

For a secure communication, the TLS client and the server needs to agree on the cryptographic algorithms and keys that both use for secured connection.

However, there are possible combinations of numerous choices and TLS allows only certain well-defined combinations of these choices, known as Cipher Suites.

Discovery identifies all the cipher suites supported by server and classify them into Insecure, Weak, Secure category based on industry best practices.

Weak

  1. Cipher suite with AES with CBC mode
  2. 3DES

Insecure

  1. RC4
  2. EXPORT Ciphers.
  3. Ciphers using MD5
  4. Null Ciphers
  5. Ciphers using anonymous authentication
  6. DES

The “Secure” category comprises of recommended cipher suites which are safe to use.