This article will help you to understand the Website Security section of the Perimeter Report.
What is the Website Security Section?
This section of the report detects vulnerabilities in the Website Headers that control the ability to update the website's content.
Multiple headers are analyzed in this section of the report with different resolutions for each. These are detailed below:
Content Security Policy Establishment
What is it?
A Content Security Policy (CSP) lists the approved sources of content that any browser should be allowed to run on the Insured's website. It is used to prevent hackers from sneaking in malicious components or code, referred to as code injection.
What causes this to be flagged on the Risk Report?
You will see a vulnerability in this section if:
- The Content Security Policy header is not implemented
- The Content Security Policy is implemented unsafely (This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src).
How to remediate
Implement a Content Security Policy (CSP) header for the affected websites. While each strict CSP configuration is specific to the website it's protecting, here is a guide that may help the Insured's implementation: https://web.dev/strict-csp/.
Secure Browser Connection Setup
What is it?
HTTP Strict Transport Security (HSTS) is a feature that forces a user’s browser to connect in a secure way (HTTPS), which securely sends data using Transport Layer Security protocol (TLS).
We check to see if HSTS was configured correctly and set to enforce secure communication for at least 6 months. With this properly set, it ensures the Insured's website visitors can always connect with encryption.
What causes this to be flagged on the Risk Report?
You will see a vulnerability in this section if:
- A HTTP Strict Transport Security (HSTS) header is not implemented
- Cannot be set due to an invalid certificate chain.
How to Remediate
Add the "Strict-Transport-Security" header in the website's HTTP responses and set a "max-age" value to at least 6 months to specify how long browsers should remember the HSTS policy.
The standard value format for the HSTS is seconds, so the minimum required value for this header is 15,770,000.
Malicious Resource Types Restriction
What is it?
X-Content-Type-Options prevents your user’s browser from inadvertently running malicious code when trying to examine the content of the file being served.
This test verifies that this setting is configured correctly to prevent unwanted scripts from being run and prevents the user’s browser from treating documents like code.
What causes this to be flagged on the Risk Report?
You will see a vulnerability in this section if an X-Content-Type-Options header is not implemented.
How to Remediate
Enable the X-Content-Type-Options: nosniff HTTP response header.