Professional Documents
Culture Documents
IO
۱
HADESS
0 -> Allow
Attacks Heatmap
default-src -> come from the site's own
origin
Misconfigure
4
Content-Security-Policy Control what resources media-src -> media to trusted providers
XSS
script-src -> specific server that hosts
trusted code
Clickjacking
7 control caching in browsers with the origin server before each reuse Misconfigure
Cache-Control no-store -> response directive indicates
and shared caches Cache Inspection
that any caches of any kind (private or
RFD
inline in the browser
same-site -> Only requests from the
Attacks Heatmap
site and cross-site) can read the resource
Misconfigure
X-Rate-Limit: Control Limit of request
10 Http Header Injection
X-* Extra HTTP Header X-Origin -> Origin of requests
Ratelimit Bypass
Misconfigure
whether the response can * XSS
12 Access-Control-Allow-Origin <origin>
be shared with requesting Host Header Injection
null Cache Poisoning
code from the given origin
Misconfigure
specifies one or more POST, GET, OPTIONS
13 Access-Control-Allow-Methods
CSRF
*
methods allowed
XSS