You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I wanted to point out that we have a server with incorrect config for our security headers but when using https://securityheaders.com/ to scan the site the issues are not displayed in the rating. I get an A which gives false sense of achievement as the config was not perfect. You can refer to https://eb1.bar.uk.striata.com for reference.
The sysadmin added the headers twice but also made a typo on X-XSS-Protection. This error can be seen in Chrome's console view.
securityheaders.com did not complain about this error:
Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied.
Here follows the items it picked up:
Warnings Content-Security-Policy This policy contains 'unsafe-inline' which is dangerous in the script-src directive. This policy contains 'unsafe-eval' which is dangerous in the script-src directive. X-Frame-Options There was a duplicate X-Frame-Options header. X-XSS-Protection There was a duplicate X-XSS-Protection header. X-Content-Type-Options There was a duplicate X-Content-Type-Options header.
Regards,
Danie de Jager
The text was updated successfully, but these errors were encountered:
I wanted to point out that we have a server with incorrect config for our security headers but when using https://securityheaders.com/ to scan the site the issues are not displayed in the rating. I get an A which gives false sense of achievement as the config was not perfect. You can refer to https://eb1.bar.uk.striata.com for reference.
The sysadmin added the headers twice but also made a typo on X-XSS-Protection. This error can be seen in Chrome's console view.
securityheaders.com did not complain about this error:
Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied.
Here follows the items it picked up:
Warnings
Content-Security-Policy This policy contains 'unsafe-inline' which is dangerous in the script-src directive. This policy contains 'unsafe-eval' which is dangerous in the script-src directive.
X-Frame-Options There was a duplicate X-Frame-Options header.
X-XSS-Protection There was a duplicate X-XSS-Protection header.
X-Content-Type-Options There was a duplicate X-Content-Type-Options header.
Regards,
Danie de Jager
The text was updated successfully, but these errors were encountered: