application is installed.
\end{result}
-\item\pass{}
-\TODO \\
+\item\fail{}
Verify that all API responses contain X-Content-Type-Options:
nosniff and Content-Disposition:
attachment; filename="api.json" (or other
appropriate filename for the content type).
\begin{result}
+ The application does not supply the \texttt{X-Content-Type-Options} header.
\end{result}
-\item\pass{}
-\TODO \\
+\item\fail{}
Verify that a content security policy (CSPv2) is in
place that helps mitigate common DOM, XSS,
JSON, and JavaScript injection vulnerabilities.
\begin{result}
+ There is no content security policy in place.
\end{result}
-\item\pass{}
-\TODO \\
+\item\fail{}
Verify that the X-XSS-Protection: 1; mode=block
header is in place to enable browser reflected XSS
filters.
\begin{result}
+ The application does not supply the \texttt{X-XSS-Protection} header.
\end{result}
\end{enumerate}
repositories / ssproject1617.git / blobdiff