\item\fail{}
Verify that the application accepts only a defined
-set of required HTTP request methods, such as
-GET and POST are accepted, and unused methods
-(e.g. TRACE, PUT, and DELETE) are explicitly
+set of required \HTTP{} request methods, such as
+\GET{} and \POST{} are accepted, and unused methods
+(e.g. \TRACE{}, \PUT{}, and \DELETE{}) are explicitly
blocked.
\begin{result}
- The application treats only \texttt{POST} requests as different from
+ The application treats only \POST{} requests as different from
others and in an opportunistic manner. It assumes all other methods to be
- treated as \texttt{GET} requests.
+ treated as \GET{} requests.
\end{result}
\item\pass{}
-Verify that every HTTP response contains a
+Verify that every \HTTP{} response contains a
content type header specifying a safe character set
-(e.g., UTF-8, ISO 8859-1).
+(e.g., \emph{UTF-8}, \emph{ISO 8859{-}1}).
\begin{result}
- Content type headers may be set anywhere in the application. Furthermure,
- \texttt{Response::send} ensures that if no content type header is set, all
- responses will fall back to using \texttt{text/html; charset=UTF-8}.
+ Content type headers may be set anywhere in the application. Furthermure,\\
+ \code{Response::send} ensures that if no content type header is set, all
+ responses will fall back to using \code{text/html; charset=UTF-8}.
\end{result}
\notapplicable{\item
-Verify that HTTP headers added by a trusted proxy
-or SSO devices, such as a bearer token, are
+Verify that \HTTP{} headers added by a trusted proxy
+or \SSO{} devices, such as a bearer token, are
authenticated by the application.}
% No proxies are present
in use for sites where content should not be
viewed in a 3rd-party X-Frame.
\begin{result}
- The application will never supply an \texttt{X-FRAME-OPTIONS} header. While
+ The application will never supply an \code{X-FRAME-OPTIONS} header. While
this is not really a problem for the home page, a 3rd party X-Frame should
- not be able to refer to the administrative interfaces of the application.
+ not be able to refer to the administrative interfaces of the application
+ and this should be fixed.
\end{result}
\item\pass{}
-Verify that the HTTP headers or any part of the
-HTTP response do not expose detailed version
+Verify that the \HTTP{} headers or any part of the
+\HTTP{} response do not expose detailed version
information of system components.
\begin{result}
- The headers provide information about the PHP version (these are added by
- the PHP interpreter by default) and information about the webserver. This
+ The headers provide information about the \PHP{} version (these are added by
+ the \PHP{} interpreter by default) and information about the webserver. This
information is not specific for the application. It would be advisable to
- hide the PHP version to the client, but this is specific to the way the
+ hide the \PHP{} version to the client, but this is specific to the way the
application is installed.
\end{result}
\item\fail{}
-Verify that all API responses contain X-Content-Type-Options:
-nosniff and Content-Disposition:
-attachment; filename="api.json" (or other
+Verify that all \API{} responses contain \code{X-Content-Type-Options:
+nosniff} and\\
+\code{Content-Disposition: attachment; filename="api.json"} (or other
appropriate filename for the content type).
\begin{result}
- The application does not supply the \texttt{X-Content-Type-Options} header.
+ The application does not supply the \code{X-Content-Type-Options} header.
\end{result}
\item\fail{}
\item\fail{}
Verify that the X-XSS-Protection: 1; mode=block
-header is in place to enable browser reflected XSS
+header is in place to enable browser reflected \XSS{}
filters.
\begin{result}
- The application does not supply the \texttt{X-XSS-Protection} header.
+ The application does not supply the \code{X-XSS-Protection} header.
\end{result}
\end{enumerate}