HADESS.
IO
۱
HADESS
No Name Description Policies Attacks
nosniff -> Blocks a request if
1 MIME sniffing attacks Misconfigure
the request destination is of
X-Content-Type-Options
prevention RFD
type style and the MIME type is
not text/css, or of type script
0 -> Allow
1 -> Enables XSS filtering
Detect reflected cross-site
2 mode=block -> browser will prevent rendering of Misconfigure
X-XSS-Protection scripting attacks the page if an attack is detected.
report=<reporting-URI> -> sanitize the page and
CORS Deception
report the violation
Browser should be allowed DENY -> deny displayed in a frame
3 SAMEORIGIN -> displayed if all Misconfigure
X-Frame-Options to render a page
Virtual Patching Heatmap
ancestor frames are same origin to
Clickjacking
the page itself
Attacks Heatmap
default-src -> come from the site's own
origin
Misconfigure
4
Content-Security-Policy Control what resources media-src -> media to trusted providers
XSS
script-src -> specific server that hosts
trusted code
Clickjacking
max-age -> The time, in seconds, that the
informs browsers that the Misconfigure
browser should remember that a site is only to be
Strict-Transport-Security MITM
5 site should only be accessed accessed using HTTPS.
SSL/TLS Stripping attacks
includeSubDomains -> rule applies to all of the
using HTTPS site's subdomains as well Cookie hijacking attacks
no-referrer -> not include any Misconfigure
sent requests do not referrer information CSRF
6 Referrer-Policy no-referrer-when-downgrade ->
include any referrer Privacy attacks
Don't send the Referer header for
information Information
requests to less secure destinations
(HTTPS →HTTP, HTTPS→file) disclosure attacks
HADESS.IO
۱
HADESS
No Name Description Policies Attacks
no-cache -> response must be validated
7 control caching in browsers with the origin server before each reuse Misconfigure
Cache-Control no-store -> response directive indicates
and shared caches Cache Inspection
that any caches of any kind (private or
shared) should not store this response. Cache Deception
response header is a header Misconfigure
inline
8 indicating if the content is XSS
attachment
Content-Disposition
expected to be displayed filename="filename.jpg" clickjacking
RFD
inline in the browser
same-site -> Only requests from the
same Site can read the resource. Misconfigure
protection against certain
9 same-origin -> requests from the same
Cross-Origin-Resource-Policy XSS
requests from other origins origin (i.e. scheme + host + port)
Virtual Patching Heatmap
cross-origin -> any origin (both same- clickjacking
Attacks Heatmap
site and cross-site) can read the resource
Misconfigure
X-Rate-Limit: Control Limit of request
10 Http Header Injection
X-* Extra HTTP Header X-Origin -> Origin of requests
X-Forwarded-IP -> Change Real IP Cache Deception
Ratelimit Bypass
lists any encodings that have
gzip
Content-Encoding been applied to the compress DDoS
11
deflate Network eavesdropping
representation (message
br
payload), and in what order
Misconfigure
whether the response can * XSS
12 Access-Control-Allow-Origin <origin>
be shared with requesting Host Header Injection
null Cache Poisoning
code from the given origin
Misconfigure
specifies one or more POST, GET, OPTIONS
13 Access-Control-Allow-Methods
CSRF
*
methods allowed
XSS