From 9eda01375e790a8f319c4c18e235891a4fb5e72f Mon Sep 17 00:00:00 2001
From: Ankush Jain <91221068+ankush-jain-akto@users.noreply.github.com>
Date: Fri, 19 Sep 2025 02:55:11 -0700
Subject: [PATCH 1/6] Add check for missing caching and privacy control headers
---
.../MustContainCachingHeaders.yml | 58 +++++++++++++++++++
1 file changed, 58 insertions(+)
create mode 100644 Misconfigured-HTTP-Headers/MustContainCachingHeaders.yml
diff --git a/Misconfigured-HTTP-Headers/MustContainCachingHeaders.yml b/Misconfigured-HTTP-Headers/MustContainCachingHeaders.yml
new file mode 100644
index 00000000..8c6fe7d9
--- /dev/null
+++ b/Misconfigured-HTTP-Headers/MustContainCachingHeaders.yml
@@ -0,0 +1,58 @@
+id: MUST_CONTAIN_RESPONSE_HEADERS_CACHING
+info:
+ name: Missing Caching & Privacy Control Response Headers
+ description: "The response does not contain some Caching & Privacy Control headers."
+ details: >
+ "The endpoint seems to be missing some HTTP security headers which provide yet another layer of security by helping to mitigate attacks and security vulnerabilities.
"
+ "Background: Whenever a browser requests a page from a web server, the server responds with the content along with Caching & Privacy Control response headers. Some of these headers contain content meta data such as the Content-Encoding, Cache-Control, status codes, etc. Along with these are also HTTP security headers that tell your browser how to behave when handling your website's content. For example, by using the Strict-Transport-Security you can force the browser to communicate solely over HTTPS."
+ impact: "This information can be used to facilitate more sophisticated attacks on your application."
+ category:
+ name: MHH
+ shortName: Misconfigured HTTP Headers
+ displayName: Misconfigured HTTP Headers (MHH)
+ subCategory: MUST_CONTAIN_RESPONSE_HEADERS
+ severity: LOW
+ tags:
+ - Business logic
+ - OWASP top 10
+ - HackerOne top 10
+ references:
+ - "https://web.dev/security-headers/"
+ - "https://www.keycdn.com/blog/http-security-headers"
+ - "https://www.invicti.com/white-papers/whitepaper-http-security-headers"
+ cwe:
+ - CWE-693
+ cve:
+ - CVE-2022-41915
+ - CVE-2022-37436
+
+attributes:
+ nature: INTRUSIVE
+ plan: STANDARD
+ duration: FAST
+
+
+api_selection_filters:
+ response_code:
+ gte: 200
+ lt: 300
+ method:
+ neq: "OPTIONS"
+execute:
+ type: single
+ requests:
+ - req: []
+
+validate:
+ response_code:
+ gte: 200
+ lt: 300
+ response_headers:
+ for_one:
+ key:
+ not_contains:
+ - Cache-Control
+ - Clear-Site-Data
+ - Pragma
+strategy:
+ run_once: /
From fd77b8ee7f55bd92ced268f539e37c5b94989494 Mon Sep 17 00:00:00 2001
From: Ankush Jain <91221068+ankush-jain-akto@users.noreply.github.com>
Date: Fri, 19 Sep 2025 02:58:03 -0700
Subject: [PATCH 2/6] Add rule for missing Transport Security headers
---
.../MustContainHSTSHeaders.yml | 55 +++++++++++++++++++
1 file changed, 55 insertions(+)
create mode 100644 Misconfigured-HTTP-Headers/MustContainHSTSHeaders.yml
diff --git a/Misconfigured-HTTP-Headers/MustContainHSTSHeaders.yml b/Misconfigured-HTTP-Headers/MustContainHSTSHeaders.yml
new file mode 100644
index 00000000..758c5a17
--- /dev/null
+++ b/Misconfigured-HTTP-Headers/MustContainHSTSHeaders.yml
@@ -0,0 +1,55 @@
+id: MUST_CONTAIN_TRANSPORT_SEC_RESPONSE_HEADERS
+info:
+ name: Missing Transport Security Response Headers
+ description: "The response does not contain Transport Security headers."
+ details: >
+ "This category enforces the use of secure HTTPS connections between the client and server. It ensures that once a user connects securely, all future requests remain encrypted. This protects against downgrade attacks and interception of unencrypted traffic."
+ impact: "Blocks man-in-the-middle attacks over insecure channels."
+ category:
+ name: MHH
+ shortName: Misconfigured HTTP Headers
+ displayName: Misconfigured HTTP Headers (MHH)
+ subCategory: MUST_CONTAIN_RESPONSE_HEADERS
+ severity: LOW
+ tags:
+ - Business logic
+ - OWASP top 10
+ - HackerOne top 10
+ references:
+ - "https://web.dev/security-headers/"
+ - "https://www.keycdn.com/blog/http-security-headers"
+ - "https://www.invicti.com/white-papers/whitepaper-http-security-headers"
+ cwe:
+ - CWE-693
+ cve:
+ - CVE-2022-41915
+ - CVE-2022-37436
+
+attributes:
+ nature: INTRUSIVE
+ plan: STANDARD
+ duration: FAST
+
+
+api_selection_filters:
+ response_code:
+ gte: 200
+ lt: 300
+ method:
+ neq: "OPTIONS"
+execute:
+ type: single
+ requests:
+ - req: []
+
+validate:
+ response_code:
+ gte: 200
+ lt: 300
+ response_headers:
+ for_one:
+ key:
+ not_contains:
+ - Strict-Transport-Security
+strategy:
+ run_once: /
From 78f9f68689c5f10dfd6fc4e5e37e37f8322e17dd Mon Sep 17 00:00:00 2001
From: Ankush Jain <91221068+ankush-jain-akto@users.noreply.github.com>
Date: Fri, 19 Sep 2025 02:59:19 -0700
Subject: [PATCH 3/6] Add CORS response headers validation rule
---
.../MustContainCORSHeaders.yml | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 Misconfigured-HTTP-Headers/MustContainCORSHeaders.yml
diff --git a/Misconfigured-HTTP-Headers/MustContainCORSHeaders.yml b/Misconfigured-HTTP-Headers/MustContainCORSHeaders.yml
new file mode 100644
index 00000000..4a77adda
--- /dev/null
+++ b/Misconfigured-HTTP-Headers/MustContainCORSHeaders.yml
@@ -0,0 +1,57 @@
+id: MUST_CONTAIN_CORS_RESPONSE_HEADERS
+info:
+ name: Missing CORS Response Headers
+ description: "The response does not contain some CORS security headers."
+ details: >
+ "These headers control how and when resources can be accessed from other origins. They isolate your pages from other sites unless cross-origin access is explicitly allowed. This creates a secure context required for certain browser features."
+ impact: "Stops cross-origin data leaks and side-channel attacks."
+ category:
+ name: MHH
+ shortName: Misconfigured HTTP Headers
+ displayName: Misconfigured HTTP Headers (MHH)
+ subCategory: MUST_CONTAIN_RESPONSE_HEADERS
+ severity: LOW
+ tags:
+ - Business logic
+ - OWASP top 10
+ - HackerOne top 10
+ references:
+ - "https://web.dev/security-headers/"
+ - "https://www.keycdn.com/blog/http-security-headers"
+ - "https://www.invicti.com/white-papers/whitepaper-http-security-headers"
+ cwe:
+ - CWE-693
+ cve:
+ - CVE-2022-41915
+ - CVE-2022-37436
+
+attributes:
+ nature: INTRUSIVE
+ plan: STANDARD
+ duration: FAST
+
+
+api_selection_filters:
+ response_code:
+ gte: 200
+ lt: 300
+ method:
+ neq: "OPTIONS"
+execute:
+ type: single
+ requests:
+ - req: []
+
+validate:
+ response_code:
+ gte: 200
+ lt: 300
+ response_headers:
+ for_one:
+ key:
+ not_contains:
+ - Cross-Origin-Embedder-Policy
+ - Cross-Origin-Opener-Policy
+ - Cross-Origin-Resource-Policy
+strategy:
+ run_once: /
From 9ede41a8aec10e8113981282aef1395f9d94ecbf Mon Sep 17 00:00:00 2001
From: Ankush Jain <91221068+ankush-jain-akto@users.noreply.github.com>
Date: Fri, 19 Sep 2025 03:00:57 -0700
Subject: [PATCH 4/6] Add Content Security Headers requirement
---
.../MustContainContentSecurityHeaders.yml | 58 +++++++++++++++++++
1 file changed, 58 insertions(+)
create mode 100644 Misconfigured-HTTP-Headers/MustContainContentSecurityHeaders.yml
diff --git a/Misconfigured-HTTP-Headers/MustContainContentSecurityHeaders.yml b/Misconfigured-HTTP-Headers/MustContainContentSecurityHeaders.yml
new file mode 100644
index 00000000..342336df
--- /dev/null
+++ b/Misconfigured-HTTP-Headers/MustContainContentSecurityHeaders.yml
@@ -0,0 +1,58 @@
+id: MUST_CONTAIN_CONTENT_SEC_RESPONSE_HEADERS
+info:
+ name: Missing Content & Framing Security Response Headers
+ description: "The response does not contain some Content & Framing Security security headers."
+ details: >
+ "These headers prevent untrusted scripts, styles, or content from executing in your pages. They stop MIME type sniffing and block your pages from being embedded in iframes. This helps reduce attack vectors like XSS and clickjacking."
+ impact: "Blocks XSS, clickjacking, and content injection attacks."
+ category:
+ name: MHH
+ shortName: Misconfigured HTTP Headers
+ displayName: Misconfigured HTTP Headers (MHH)
+ subCategory: MUST_CONTAIN_RESPONSE_HEADERS
+ severity: LOW
+ tags:
+ - Business logic
+ - OWASP top 10
+ - HackerOne top 10
+ references:
+ - "https://web.dev/security-headers/"
+ - "https://www.keycdn.com/blog/http-security-headers"
+ - "https://www.invicti.com/white-papers/whitepaper-http-security-headers"
+ cwe:
+ - CWE-693
+ cve:
+ - CVE-2022-41915
+ - CVE-2022-37436
+
+attributes:
+ nature: INTRUSIVE
+ plan: STANDARD
+ duration: FAST
+
+
+api_selection_filters:
+ response_code:
+ gte: 200
+ lt: 300
+ method:
+ neq: "OPTIONS"
+execute:
+ type: single
+ requests:
+ - req: []
+
+validate:
+ response_code:
+ gte: 200
+ lt: 300
+ response_headers:
+ for_one:
+ key:
+ not_contains:
+ - Content-Security-Policy
+ - X-Content-Type-Options
+ - X-Frame-Options
+ - X-Permitted-Cross-Domain-Policies
+strategy:
+ run_once: /
From 277ec9425d02af7bb01798f3b5691b4905034821 Mon Sep 17 00:00:00 2001
From: Ankush Jain <91221068+ankush-jain-akto@users.noreply.github.com>
Date: Fri, 19 Sep 2025 03:02:24 -0700
Subject: [PATCH 5/6] Add privacy feature headers requirement to YAML
---
.../MustContainPrivacyFeatureHeaders.yml | 56 +++++++++++++++++++
1 file changed, 56 insertions(+)
create mode 100644 Misconfigured-HTTP-Headers/MustContainPrivacyFeatureHeaders.yml
diff --git a/Misconfigured-HTTP-Headers/MustContainPrivacyFeatureHeaders.yml b/Misconfigured-HTTP-Headers/MustContainPrivacyFeatureHeaders.yml
new file mode 100644
index 00000000..3dfe4a7d
--- /dev/null
+++ b/Misconfigured-HTTP-Headers/MustContainPrivacyFeatureHeaders.yml
@@ -0,0 +1,56 @@
+id: MUST_CONTAIN_PRIVACY_RESPONSE_HEADERS
+info:
+ name: Missing Privacy & Feature Restriction Response Headers
+ description: "The response does not contain Privacy & Feature Restriction security headers."
+ details: >
+ "These headers limit what referrer information is shared when navigating to other sites. They also restrict access to powerful browser APIs like camera, microphone, and geolocation. This reduces the exposure of sensitive user data."
+ impact: "Minimizes data leaks and reduces browser attack surface."
+ category:
+ name: MHH
+ shortName: Misconfigured HTTP Headers
+ displayName: Misconfigured HTTP Headers (MHH)
+ subCategory: MUST_CONTAIN_RESPONSE_HEADERS
+ severity: LOW
+ tags:
+ - Business logic
+ - OWASP top 10
+ - HackerOne top 10
+ references:
+ - "https://web.dev/security-headers/"
+ - "https://www.keycdn.com/blog/http-security-headers"
+ - "https://www.invicti.com/white-papers/whitepaper-http-security-headers"
+ cwe:
+ - CWE-693
+ cve:
+ - CVE-2022-41915
+ - CVE-2022-37436
+
+attributes:
+ nature: INTRUSIVE
+ plan: STANDARD
+ duration: FAST
+
+
+api_selection_filters:
+ response_code:
+ gte: 200
+ lt: 300
+ method:
+ neq: "OPTIONS"
+execute:
+ type: single
+ requests:
+ - req: []
+
+validate:
+ response_code:
+ gte: 200
+ lt: 300
+ response_headers:
+ for_one:
+ key:
+ not_contains:
+ - Permissions-Policy
+ - Referrer-Policy
+strategy:
+ run_once: /
From 817742c06c8674413fb06d3ea81fce8cc49b000e Mon Sep 17 00:00:00 2001
From: Ankush Jain <91221068+ankush-jain-akto@users.noreply.github.com>
Date: Fri, 19 Sep 2025 03:08:28 -0700
Subject: [PATCH 6/6] Add inactive flag to MustContainResponseHeaders.yaml
---
Misconfigured-HTTP-Headers/MustContainResponseHeaders.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Misconfigured-HTTP-Headers/MustContainResponseHeaders.yaml b/Misconfigured-HTTP-Headers/MustContainResponseHeaders.yaml
index e91051a3..23f321f2 100644
--- a/Misconfigured-HTTP-Headers/MustContainResponseHeaders.yaml
+++ b/Misconfigured-HTTP-Headers/MustContainResponseHeaders.yaml
@@ -31,7 +31,7 @@ attributes:
plan: STANDARD
duration: FAST
-
+inactive: true
api_selection_filters:
response_code:
gte: 200