Dir Traversal Insecure Direct Object References Broken Authentication and Session Management Server Side Request Forgery (SSRF) Unvalidated Redirects and Forwards Insecure Cryptographic Storage Relative Path Overwrite (RPO) ...
site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. X-Frame-Options SAMEORIGIN | DENY Information from SecurityHeaders.io
type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. The only valid value for this header is "X-Content-Type-Options: nosniff". X-Content-Type-Options nosniff Information from SecurityHeaders.io
several attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Content-Security-Policy default-src 'self'; script-src 'self' ... Information from SecurityHeaders.io CSP Builder (Helper): https://report-uri.io/home/generate
and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Strict-Transport-Security max-age=31536000; includeSubdomains; preload Information from SecurityHeaders.io
certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised. Public-Key-Pins pin-sha256="t/OMbK...JM="; max-age=600; report- uri="..." Information from SecurityHeaders.io
a fetched resource has been delivered without unexpected manipulation. <script src="https://example.com/example-framework.js" integrity="sha384- Li9vy3DqF8tnTXu...gNR/VqsVpcw+T...Jr7" crossorigin="anonymous"></script> Information from . W3C
for a Security Page A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs , especially those pertaining to exploits and vulnerabilities. https://en.wikipedia.org/wiki/Bug_bounty_program
XSS / RCE / CSRF / ... Description: Detailed explanation of the vulnerability Impact: In the context of the vulnerable service/app. Proof of Concept Data (PoC) * Works in: Google Chrome, Firefox, IE, Safari, ... * Attack Vector: How to trigger the vulnerability. * Payload: What triggers the vulnerability. PoC Image/Video: Visual proof. Mitigation: If we have an idea how to fix, we should suggest. Notes: If pertinent. Always remember to be polite!