Autocomplete Enabled

If in the Form submission, autocomplete is enabled then this might contain sensitive information like "username" or other information.
If any user save, data entered in these fields, then this will be cached by the browser.then attacker can access these informations.
This is especially important, if application is used in public places computers, such as cyber-cafes, airport terminals etc.

by adding the attribute autocomplete="off" to the Form tag or in the individual "input" fields.
No comments:
Labels: ,

Active Mixed Content over HTTPS

This Error occurs when the content is loaded over HTTP within an HTTPS page.
If the HTTPS page includes the content like scripts or stylesheets retrieved through regular, cleartext HTTP, then the connection is only partially encrypted.

There are few technologies to deal with this type of mixed content issues:

1. HTTP Strict Transport Security (HSTS) is a mechanism that enforces secure resource retrieval, even if user does mistakes means try to attemp to access web site on port 80 or any coding errors.

2. Content Security Policy (CSP) can be used to block insecure resource retrieval from third-party web site.

Set htacess Rule as -  

Header set Content-Security-Policy "'self' domain"
No comments:
Labels: , , , , , ,

HTTP Strict Transport Security (HSTS) Errors and Warnings

The HSTS Errors and Warnings will allow attackers to bypass HSTS. and will allow them to read, modify communication of website.
to fix this error you should consider by adding the domain to the HSTS preload list.
This will ensure that browsers will automatically connect your website by using HTTPS and will prevent users from visiting your website using HTTP.

Set htacess Rule as -  

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

No comments:
Labels: , , , , , ,

TRACE/TRACK Method Detected

This issues occurs when the TRACE/TRACK method is allowed. It is possible to bypass the HttpOnly cookie limitation and read the cookies in a cross-site scripting attack by using the TRACE/TRACK method.

you should disable this method in all production systems.Even though the application is not vulnerable to cross-site scripting, a debugging feature such as TRACE/TRACK should not be required in a production system and therefore should be disabled.

Set htacess Rule as -  

 RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
No comments:
Labels: , , , , ,

Insecure Frame (External)

Insecure Frame occurs when an external iframe is insecured or misconfigured.

IFrame sandboxing provides a set of additional restrictions for the content within a frame and also restrict its potentially malicious code from causing harm to the webpage.

For Example -

by apply sandbox in inline frame <iframe sandbox src="url"></iframe>
No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)