2 \begin{enumerate
}[label=
{V11.
\arabic*
}]
5 Verify that the application accepts only a defined
6 set of required
\HTTP{} request methods, such as
7 \GET{} and
\POST{} are accepted, and unused methods
8 (e.g.
\TRACE{},
\PUT{}, and
\DELETE{}) are explicitly
11 The application treats only
\POST{} requests as different from
12 others and in an opportunistic manner. It assumes all other methods to be
13 treated as
\GET{} requests.
17 Verify that every
\HTTP{} response contains a
18 content type header specifying a safe character set
19 (e.g.,
\emph{UTF-
8},
\emph{ISO
8859{-
}1}).
21 Content type headers may be set anywhere in the application. Furthermure,\\
22 \code{Response::send
} ensures that if no content type header is set, all
23 responses will fall back to using
\code{text/html; charset=UTF-
8}.
27 Verify that
\HTTP{} headers added by a trusted proxy
28 or
\SSO{} devices, such as a bearer token, are
29 authenticated by the application.
}
31 % No proxies are present
34 Verify that a suitable X-FRAME-OPTIONS header is
35 in use for sites where content should not be
36 viewed in a
3rd-party X-Frame.
38 The application will never supply an
\code{X-FRAME-OPTIONS
} header. While
39 this is not really a problem for the home page, a
3rd party X-Frame should
40 not be able to refer to the administrative interfaces of the application
41 and this should be fixed.
45 Verify that the
\HTTP{} headers or any part of the
46 \HTTP{} response do not expose detailed version
47 information of system components.
49 The headers provide information about the
\PHP{} version (these are added by
50 the
\PHP{} interpreter by default) and information about the webserver. This
51 information is not specific for the application. It would be advisable to
52 hide the
\PHP{} version to the client, but this is specific to the way the
53 application is installed.
57 Verify that all
\API{} responses contain
\code{X-Content-Type-Options:
59 \code{Content-Disposition: attachment; filename="api.json"
} (or other
60 appropriate filename for the content type).
62 The application does not supply the
\code{X-Content-Type-Options
} header.
66 Verify that a content security policy (CSPv2) is in
67 place that helps mitigate common DOM, XSS,
68 JSON, and JavaScript injection vulnerabilities.
70 There is no content security policy in place.
74 Verify that the X-XSS-Protection:
1; mode=block
75 header is in place to enable browser reflected
\XSS{}
78 The application does not supply the
\code{X-XSS-Protection
} header.