1.2.1053. Safe HTTP Headers¶
Avoid configuring HTTP headers with lax restriction from within PHP.
There are a lot of HTTP headers those days, targeting various vulnerabilities. To ensure backward compatibility, those headers have a default mode that is lax and permissive. It is recommended to avoid using those from within the code.
<?php
//Good configuration, limiting access to origin
header('Access-Control-Allow-Origin: https://www.exakat.io');
//Configuration is present, but doesn't restrict anything : any external site is a potential source
header('Access-Control-Allow-Origin: *');
?>
See also Hardening Your HTTP Security Headers, How To Secure Your Web App With HTTP Headers and SecurityHeaders.
1.2.1053.1. Suggestions¶
Remove usage of those headers
1.2.1053.2. Specs¶
Short name |
Security/SafeHttpHeaders |
Rulesets |
|
Exakat since |
1.5.5 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Quick (30 mins) |
Precision |
High |
Features |
http-header |
Available in |