From: Daan Sprenkels Date: Wed, 9 Nov 2016 12:56:41 +0000 (+0100) Subject: Finished V11 HTTP security X-Git-Url: https://git.martlubbers.net/?a=commitdiff_plain;h=def34a25c64324b54c947a676fb16c87bdbfc4fe;p=ssproject1617.git Finished V11 HTTP security --- diff --git a/report/v11_httpsec.tex b/report/v11_httpsec.tex index bf075c6..2b86bac 100644 --- a/report/v11_httpsec.tex +++ b/report/v11_httpsec.tex @@ -52,29 +52,29 @@ information of system components. application is installed. \end{result} -\item\pass{} -\TODO \\ +\item\fail{} Verify that all API responses contain X-Content-Type-Options: nosniff and Content-Disposition: attachment; filename="api.json" (or other appropriate filename for the content type). \begin{result} + The application does not supply the \texttt{X-Content-Type-Options} header. \end{result} -\item\pass{} -\TODO \\ +\item\fail{} Verify that a content security policy (CSPv2) is in place that helps mitigate common DOM, XSS, JSON, and JavaScript injection vulnerabilities. \begin{result} + There is no content security policy in place. \end{result} -\item\pass{} -\TODO \\ +\item\fail{} Verify that the X-XSS-Protection: 1; mode=block header is in place to enable browser reflected XSS filters. \begin{result} + The application does not supply the \texttt{X-XSS-Protection} header. \end{result} \end{enumerate}