WSTG-CONF-XX - Security Header Misconfiguration

[websecnl]

Can i submit a pull request for a content update for a new CONF item for "Security Header Misconfiguration"

• Security Header with a Empty Value
• Security Header with an invalid value or name (Typos)
• Overpermissive Security Headers (Allow-Credentials, *)
• Duplicate Security Headers
• Legacy Security Headers (which are no longer supported such as HPKP)

There doesnt seem to be anyone which covers these scenarios yet. Please do let me know if I am wrong.

Otherwise, what do you guys think?

[kingthorin]

I'd be fine with this. Just give me a few days to consider if it belong amongst an existing section

[websecnl]

I'd be fine with this. Just give me a few days to consider if it belong amongst an existing section

Sure, take your time.

[rbsec]

Another one to add to the list would be headers in places where they're not valid - such as a Strict-Transport-Security header being returned in a HTTP response (rather than over HTTPS).

[kingthorin]

I'm really sorry, I'm not ignoring this but I might not get to sit and look at it until after the holidays.

[websecnl]

I'm really sorry, I'm not ignoring this but I might not get to sit and look at it until after the holidays.

No problem, take your time buddy. I'll also be a bit busy until a few weeks into 2025 anyways.