1.2.1060. Safe HTTP Headers

Avoid configuring HTTP headers with lax restriction from within PHP.

There are a lot of HTTP headers those days, targeting various vulnerabilities. To ensure backward compatibility, those headers have a default mode that is lax and permissive. It is recommended to avoid using those from within the code.

<?php

//Good configuration, limiting access to origin
header('Access-Control-Allow-Origin: https://www.exakat.io');

//Configuration is present, but doesn't restrict anything : any external site is a potential source
header('Access-Control-Allow-Origin: *');

?>

See also Hardening Your HTTP Security Headers, How To Secure Your Web App With HTTP Headers and SecurityHeaders.

1.2.1060.1. Connex PHP features

• http-header

1.2.1060.1.1. Suggestions

• Remove usage of those headers

1.2.1060.1.2. Specs

Short name	Security/SafeHttpHeaders
Rulesets	All, Changed Behavior, Security
Exakat since	1.5.5
PHP Version	All
Severity	Major
Time To Fix	Quick (30 mins)
Precision	High
Available in	Entreprise Edition, Exakat Cloud