# V11 HTTP security

HTTP security configuration verification requirements

# ASVS Verification Requirement

ID Detailed Verification Requirement Level 1 Level 2 Level 3 Since
11.1 Verify that the application accepts only a defined set of required HTTP request methods, such as GET and POST are accepted, and unused methods (e.g. TRACE, PUT, and DELETE) are explicitly blocked. x x x 1.0
11.2 Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1). x x x 1.0
11.3 Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application. x x 2.0
11.4 Verify that a suitable X-FRAME-OPTIONS header is in use for sites where content should not be viewed in a 3rd-party X-Frame. x x 3.0.1
11.5 Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components. x x x 2.0
11.6 Verify that all API responses contain X-Content-Type-Options: nosniff and Content-Disposition: attachment; filename=""api.json"" (or other appropriate filename for the content type). x x x 3.0
11.7 Verify that a content security policy (CSPv2) is in place that helps mitigate common DOM, XSS, JSON, and JavaScript injection vulnerabilities. x x x 3.0.1
11.8 Verify that the X-XSS-Protection: 1; mode=block header is in place. x x x 3.0

# 11.1

Each endpoint has explicitely defined, which HTTP methods are allowed. Unused methods throw a 405 (method not supported)

# 11.2 (violation)

Responses currently do not define a charset even so they all return UTF-8

# 11.3

There are no trusted proxies or SSO devices that would add headers dynamically.

# 11.4

The default configuration of the reverse proxy enforces X-Frame Option to be DENY. Cloudflare as default uses sameorigin which is fine too

# 11.5 (violation)

Cloudflare infront hides most of the fingerprint of the webserver. The server itself exposes his psono version in order to enable the possibility for the client to check for incompatibilities.

# 11.6

X-Content Type option nosniff is set in the default configuration of the reverse proxy and also passed on by cloudflare

# 11.7

CSP is in place and the complete application is written so it can be enabled in a very strict mode. The CSP is also part of the default configuration of the reverse proxy

# 11.8

" X-XSS-Protection: 1; mode=block " is part of the default configuration of the reverse proxy and also by default enabled.