Module 05 · HTTP Headers¶
Flag: --skip-headers
Audits HTTP response headers for security misconfigurations.
Required security headers¶
| Header | Severity if absent | Notes |
|---|---|---|
Content-Security-Policy | MEDIUM | Also audits CSP value for unsafe-inline, unsafe-eval, wildcards |
X-Frame-Options | MEDIUM | Clickjacking protection |
X-Content-Type-Options | LOW | MIME sniffing prevention |
Referrer-Policy | LOW | URL leakage control |
Permissions-Policy | LOW | Browser API restrictions |
Cross-Origin-Opener-Policy | LOW | Cross-origin isolation |
Cross-Origin-Resource-Policy | LOW | Resource access control |
CSP deep audit¶
When CSP is present, the module further checks:
| CSP Condition | Severity |
|---|---|
unsafe-inline or unsafe-eval present | MEDIUM |
Wildcard (*) in script-src or default-src | HIGH |
Version-leaking headers¶
Headers that should not be present in production:
Server · X-Powered-By · X-AspNet-Version · X-AspNetMvc-Version · X-Generator · X-CF-Powered-By
Each flagged as LOW.
Cookie security flags¶
Every Set-Cookie response header is analysed for:
| Missing flag | Severity |
|---|---|
HttpOnly | MEDIUM |
Secure | MEDIUM |
SameSite | LOW |
SameSite=None without Secure | MEDIUM |
HTTP → HTTPS redirect¶
Checks whether HTTP requests are automatically upgraded to HTTPS.
| Condition | Severity |
|---|---|
| HTTP does not redirect to HTTPS | MEDIUM |
Cache-Control¶
| Condition | Severity |
|---|---|
Cache-Control header absent | LOW |