HTTP security configuration verification requirements

ASVS Verification Requirement

ID Detailed Verification Requirement Level 1 Level 2 Level 3 Since
11.1 Verify that the application accepts only a defined set of required HTTP request methods, such as GET and POST are accepted, and unused methods (e.g. TRACE, PUT, and DELETE) are explicitly blocked. x x x 1.0
11.2 Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1). x x x 1.0
11.3 Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application.   x x 2.0
11.4 Verify that a suitable X-FRAME-OPTIONS header is in use for sites where content should not be viewed in a 3rd-party X-Frame.   x x 3.0.1
11.5 Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components. x x x 2.0
11.6 Verify that all API responses contain X-Content-Type-Options: nosniff and Content-Disposition: attachment; filename=”“api.json”” (or other appropriate filename for the content type). x x x 3.0
11.7 Verify that a content security policy (CSPv2) is in place that helps mitigate common DOM, XSS, JSON, and JavaScript injection vulnerabilities. x x x 3.0.1
11.8 Verify that the X-XSS-Protection: 1; mode=block header is in place. x x x 3.0


Each endpoint has explicitely defined, which HTTP methods are allowed. Unused methods throw a 405 (method not supported)

11.2 (violation)

Responses currently do not define a charset even so they all return UTF-8


There are no trusted proxies or SSO devices that would add headers dynamically.


The default configuration of the reverse proxy enforces X-Frame Option to be DENY. Cloudflare as default uses sameorigin which is fine too

11.5 (violation)

Cloudflare infront hides most of the fingerprint of the webserver. The server itself exposes his psono version in order to enable the possibility for the client to check for incompatibilities.


X-Content Type option nosniff is set in the default configuration of the reverse proxy and also passed on by cloudflare


CSP is in place and the complete application is written so it can be enabled in a very strict mode. The CSP is also part of the default configuration of the reverse proxy


” X-XSS-Protection: 1; mode=block “ is part of the default configuration of the reverse proxy and also by default enabled.

Edit me