Missing security headers

Severity
Low
Applies to
Proxy
Links
CWE-523

Why This Issue Is Important

Security headers play a crucial role in protecting web applications from a variety of attacks. They instruct the browser on how to handle content, helping to prevent issues like code injection, clickjacking, MIME type mismatches, and other vulnerabilities. Missing headers like Strict-Transport-Security (HSTS) and X-Content-Type-Options can leave your API vulnerable to man-in-the-middle attacks, cross-site scripting (XSS), and other security risks.

Strict-Transport-Security (HSTS): this header ensures that browsers only communicate with your server over HTTPS, protecting against protocol downgrade attacks and cookie hijacking.

X-Content-Type-Options: this header prevents browsers from interpreting files as something other than what they are declared to be, which mitigates certain types of attacks like MIME-type sniffing.

How This Issue Is Detected

This issue is detected by analyzing the response flow of the proxy to check for the presence of essential security headers. If headers like Strict-Transport-Security or X-Content-Type-Options are not being set by any of the response-related policies, an issue is flagged.

How to Fix the Issue

To fix this issue, add the missing security headers in the response using the AssignMessage policy:

<AssignMessage async="false" continueOnError="false" enabled="true" name="Set-Security-Headers">
    <DisplayName>Set Security Headers</DisplayName>
    <Set>
        <Headers>
            <Header name="Strict-Transport-Security">max-age=31536000; includeSubDomains</Header>
            <Header name="X-Content-Type-Options">nosniff</Header>
        </Headers>
    </Set>
    <AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>