Skip to content

HTTP Security Headers Analyzer

Configuration Name: SecurityHeaders

Description

The SecurityHeaders analyzer checks for proper values of HTTP headers relevant to API security.

  • Runs on every request in the sequence walk (once per operation).
  • Does not generate requests but inspects existing responses.
  • Findings are reported as target-scoped, meaning they are not associated with a particular operation to minimize duplicate findings when all operations use the same headers.

Checks Performed

There are many recommended security headers for web applications, and a subset of the recommended headers also pertain to HTTP-based network APIs. The SecurityHeaders analyzer validates the presence and correctness of key security-related HTTP headers:

Header Expected Value / Condition Recommendation
Content-Type Must be present Ensures correct content handling
Strict-Transport-Security (HSTS) Must include max-age ≥ 63072000 Enforces HTTPS for API security
X-Content-Type-Options Must be present and set to nosniff Prevents MIME-type sniffing
Content-Security-Policy (CSP) Expected value: default-src 'none'; frame-ancestors 'none' Restricts content sources
Access-Control-Allow-Origin If present, must not be "null" Prevents security risks in CORS settings
Information Exposure Headers Detects header names or values matching x.y.z or x.y patterns Prevents unintentional data leaks

Faults Reported

Findings are reported when an HTTP response does not comply with header security best practices.

Fault Identifier Title Summary Solution Severity
CWE-693 Security Headers An HTTP response did not comply with security best practices for header values. A comment on the step below contains the details of which headers did not comply. Modify the API implementation or API gateway to set the appropriate header values in each response. Medium

Rule Evaluation

  • The analyzer inspects each API response for the presence and correctness of security headers.
  • A finding is reported if a required header is missing, incorrectly configured, or contains an insecure value.
  • Findings are target-scoped to avoid redundant reports when multiple operations use the same headers.

Example Scenario

Example HTTP Response with Security Header Issues:

HTTP/1.1 200 OK
Content-Type: application/json
X-Content-Type-Options: sniff  # Incorrect value (should be 'nosniff')
Strict-Transport-Security: max-age=31536000  # Too low (should be ≥ 63072000)
Access-Control-Allow-Origin: "null"  # Insecure setting

Findings Would Be Reported For

If an API response contains security misconfigurations in HTTP headers, findings would be reported for:

  • X-Content-Type-Options incorrectly set

    • Example: X-Content-Type-Options: sniff (should be nosniff)
    • Issue: Allows MIME-type sniffing, increasing the risk of security vulnerabilities.

  • Strict-Transport-Security using an insufficient max-age value

    • Example: Strict-Transport-Security: max-age=31536000
    • Issue: The value is too low (should be ≥ 63072000 for proper security enforcement).

  • Access-Control-Allow-Origin set to "null"

    • Example: Access-Control-Allow-Origin: "null"
    • Issue: This setting is insecure and can lead to cross-origin security risks.

Remediation Steps

To ensure API responses adhere to security best practices, follow these remediation steps:

  1. Ensure All Required Security Headers Are Present

  2. Set the following headers in API responses:

    • Content-Type
    • Strict-Transport-Security
    • X-Content-Type-Options
    • Content-Security-Policy
    • Access-Control-Allow-Origin (if applicable)

  3. Set Headers to Secure Values

    • Strict-Transport-Security: Ensure max-age is at least 63072000 (2 years).
    • X-Content-Type-Options: Must be set to nosniff to prevent MIME-type sniffing.
    • Content-Security-Policy: Use restrictive policies, e.g., default-src 'none'; frame-ancestors 'none'.
    • Access-Control-Allow-Origin: Avoid using "null" as an allowed origin.

  4. Implement Security Best Practices

    • Configure API gateways or reverse proxies to enforce security headers consistently.
    • Use automated security testing tools to detect missing or misconfigured headers.

  5. Monitor API Responses

    • Regularly review API response headers to ensure compliance.
    • Implement logging and alerting for misconfigured or missing security headers.