۱ DevSecOpsGuides.
com
No Name Description
1 MIME sniffing attacks
X-Content-Type-Options
prevention
Detect reflected
2 mode=block -> browser will prevent rendering of
X-XSS-Protection
cross-site scripting
Browser should be
3 SAMEORIGIN -> displayed if all
X-Frame-Options
allowed to render a page
Virtual Patching Heatmap
Control what
4
Content-Security-Policy
resources
informs browsers that
5 Strict-Transport-Security
the site should only be
accessed using HTTPS
sent requests do not
6 Privacy attacks
Referrer-Policy include any referrer
information
Policies Attacks
nosniff -> Blocks a request if
Misconfigure
the request destination is of
type style and the MIME type is
RFD
not text/css, or of type script
0 -> Allow
1 -> Enables XSS filtering Misconfigure
the page if an attack is detected. CORS
report=<reporting-URI> -> sanitize the page and
report the violation
Deception
DENY -> deny displayed in a frame
Misconfigure
ancestor frames are same origin to
Clickjacking
the page itself
Attacks Heatmap
default-src -> come from the site's own
Misconfigure
origin
media-src -> media to trusted providers
XSS
script-src -> specific server that hosts
trusted code
Clickjacking
max-age -> The time, in seconds, that the
Misconfigure
browser should remember that a site is only to be
MITM
accessed using HTTPS.
includeSubDomains -> rule applies to all of the
SSL/TLS Stripping attacks
site's subdomains as well Cookie hijacking attacks
Misconfigure
no-referrer -> not include any
CSRF
referrer information
no-referrer-when-downgrade ->
Don't send the Referer header for Information
requests to less secure destinations disclosure attacks
(HTTPS→HTTP, HTTPS→file)
 ۱ DevSecOpsGuides.com

No Name Description Policies Attacks

no-cache -> response must be validated

7
control caching in with the origin server before each reuse Misconfigure
Cache-Control no-store -> response directive indicates
browsers and shared Cache Inspection
that any caches of any kind (private or

caches shared) should not store this response. Cache Deception

response header is a header

inline Misconfigure

8 indicating if the content is XSS

attachment
Content-Disposition
expected to be displayed clickjacking
filename="filename.jpg"
inline in the browser RFD

same-site -> Only requests from the

protection against same Site can read the resource. Misconfigure

9 same-origin -> requests from the same
Cross-Origin-Resource-Policy XSS
certain requests from origin (i.e. scheme + host + port)
Virtual Patching Heatmap

cross-origin -> any origin (both same- clickjacking

other origins

Attacks Heatmap
site and cross-site) can read the resource

Misconfigure
X-Rate-Limit: Control Limit of
Http Header Injection
10
X-* Extra HTTP Header request
Cache Deception
X-Origin -> Origin of requests
Ratelimit Bypass
X-Forwarded-IP -> Change Real IP

lists any encodings that gzip

DDoS
have been applied to the compress
11 Content-Encoding
Network
representation (message deflate
eavesdropping
payload), and in what order br

Misconfigure
whether the response can
* XSS

Access-Control-Allow-Origin be shared with requesting Host Header

12
<origin>
code from the given origin Injection
null
Cache Poisoning

Misconfigure
specifies one or more POST, GET, OPTIONS
13 Access-Control-Allow-Methods
CSRF
methods allowed *
XSS