Help Center
News
Go back to application
Help Center
News
Go back to application
Automated security scans
How is the security score calculatedHow is our DNSSEC assessment performedHow is our SPF assessment performedHow is our DMARC assessment performedHow our SSL/TLS assessment is performedHow our Security Headers assessment is performedHow our Potential Vulnerability assessment is performedHow our Blocklist assessment is performedHow our Open Ports assessment is performedHow our Active Vulnerability scanner worksHow to get the best results from our attack surface scans?
Digital footprint analysis
How do we uncover Applications in the digital footprintHow do we uncover IP addresses in the digital footprintHow do we uncover Software used in the digital footprintHow do we uncover Cloud Storage in the digital footprintHow do we uncover Email Addresses in the digital footprintHow do we uncover Files in the digital footprintHow do we uncover Similar Domains in the digital footprint
Account management
How to add or delete primary domains from your digital footprintHow to add or delete users from your accountHow can I impose 2FA on my company's users?Setting up SSO authentication with your identity provider (IdP)
Managing suppliers
Adding suppliers to your supply chain on the Ceeyu platformHow to configure supply chain risk scoring
Building questionnaires
Establishing parent child relationships between questionsHow to test a questionnaireHow to configure rating of a questionnaireHow to configure assessment workflows
Integrations
Integrating Ceeyu with third-party applications
Trust Center
Trust Center overviewManaging content in your Trust CenterManaging access to your Trust Portal contentCustomizing Your Trust Portal BrandingSetting Up a Custom Domain for Your Trust PortalManaging certifications in your Trust Center

How our Security Headers assessment is performed

For every website we have discovered while enumeration your domains and crawling the web, we check if the following HTTP headers are present (in webapplications discovered in your footprint), and if they are correctly configured.

We highly recommend implementing the following headers:

  • Permissions-Policy: The Permissions-Policy header replaces the Feature-Policy header for controlling delegation of permissions and key features. The header uses a structured syntax and allows sites to restrict the types of clients (eg. Frames) that are granted access to key features. This can be used to restrict access to for example the camera or microphone.
  • Content-Security-Policy: A Content Security Policy (also named CSP) requires a precise definition of the policy and careful tuning. If enabled, CSP has significant impact on the way browsers render pages (eg. inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections. Whether the P tag is set to “none”, “quarantine”, or “reject” whereby “reject” provides the best possible security, hence results in the best rating.
  • Referrer-Policy: The Referrer-Policy Security Header governs which referrer information should be included in the Referrer header of the response. There are quite a few values to choose from when setting up the Referrer-Policy.
  • X-content-Type-Policy: Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type Security Header (eg treating text/plain as text/css).
  • X-Frame-Options: The X-Frame-Options response header (also named XFO) improves the protection of web applications against clickjacking. It instructs the browser whether the content can be displayed within frames. Note that the Content-Security-Policy frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the CSP frame-ancestors policy will be enforced, and the X-Frame-Options policy will be ignored.
  • Strict-Transport-Policy: HTTP Strict Transport Security (also named HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797. A server implements an HSTS policy by supplying a header (Strict-Transport-Security) over an HTTPS connection (HSTS headers over HTTP are ignored).

Was this article helpful?

Powered by Product Fruits