Skip to content

Commit

Permalink
Update 0x50-V50-Web-Frontend-Security.md
Browse files Browse the repository at this point in the history
  • Loading branch information
jmanico authored Nov 7, 2024
1 parent 927c423 commit 66e21c4
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion 5.0/en/0x50-V50-Web-Frontend-Security.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ The category focuses on requirements that protect against attacks that are execu
| **50.2.1** | [MODIFIED, MOVED FROM 14.4.3] Verify that every HTTP response includes a Content-Security-Policy header to reduce the risk of malicious JavaScript. The directives object-src 'none' and base-uri 'none' must be defined. For an L3 application, a per-response policy with nonces or hashes must be defined. | ||| |
| **50.2.2** | [GRAMMAR, MOVED FROM 14.4.4] Verify that all responses contain a X-Content-Type-Options: nosniff header field. |||| 116 |
| **50.2.3** | [MODIFIED, MOVED FROM 14.4.5] Verify that a Strict-Transport-Security header field is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=31536000; includeSubdomains. |||| 523 |
| **50.2.4** | [GRAMMAR, MOVED FROM 14.4.6] Verify that an suitable Referrer-Policy header is included to prevent sensitive information in the URL from being exposed to untrusted parties via the Referer header. |||| 116 |
| **50.2.4** | [MODIFIED, MOVED FROM 14.4.6] Verify that an suitable Referrer-Policy header is included to prevent sensitive information in the URL from being exposed to untrusted parties via the Referer header. |||| 116 |
| **50.2.5** | [MODIFIED, MOVED FROM 14.4.7] Verify that the content of the web application cannot be embedded in a third-party site by default, and that embedding of specific resources is allowed only when necessary, using the Content-Security-Policy frame-ancestors directive. Note that X-Frame-Options is now obsolete. |||| 1021 |
| **50.2.6** | [ADDED, SPLIT FROM 14.5.3] Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header field is validated against an allowlist of trusted origins. When "Access-Control-Allow-Origin: *" needs to be used, verify that the responses do not include any sensitive information. |||| 183 |
| **50.2.7** | [ADDED] Verify that the Content-Security-Policy header field specifies a location to report violations. | | || |
Expand Down

0 comments on commit 66e21c4

Please sign in to comment.