All web application content is offered exclusively using HTTPS.
Ensure all HTTP request headers are properly validated to prevent security vulnerabilities. This includes checking that headers conform to expected formats, rejecting any requests with malformed or suspicious headers. Apply validation to common headers like User-Agent, Referer, and Authorization to avoid exploitation through header injection or abuse. Implement allow-lists for approved header values and set length limits to avoid overloading the server. By validating headers, you can protect against malicious attacks and enhance overall application security.
V14.5.1 Accept Valid HTTP Methods Only accept the required HTTP methods (e.g., GET, POST) and log/alert on invalid requests. V14.5.2 Validate Origin Header Usage Do not use the Origin header for authentication or access control decisions, as it can be manipulated. V14.5.3 Strict CORS Allow List Ensure CORS headers use a strict allow list of trusted domains and do not support "null" origin. V14.5.4 Authenticate Proxy or SSO Headers Authenticate headers (e.g., bearer tokens) added by trusted proxies or SSO devices to prevent unauthorized access.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-01-06-01-01-01 | Accept only valid HTTP methods | Ensure that only the required HTTP methods (e.g., GET, POST) are accepted by the server. Log and alert on any invalid or unexpected HTTP methods to detect potential malicious activity. | Development | Security Engineers, IT Operations |
| SSS-01-06-01-01-02 | Validate origin header usage | Do not rely on the Origin header for authentication or access control decisions, as it can be manipulated by attackers. Instead, use secure methods to authenticate and control access. | Development | Security Engineers, Web Developers |
| SSS-01-06-01-01-03 | Implement strict Cross-Origin Resource Sharing (CORS) allow list | Configure CORS headers to use a strict allow list of trusted domains. Do not support "null" origins, as they can introduce security risks by allowing requests from untrusted sources. | Development | Web Developers, Security Engineers |
| SSS-01-06-01-01-04 | Authenticate proxy or SSO headers | Authenticate headers added by trusted proxies or Single Sign-On (SSO) devices (e.g., bearer tokens) to prevent unauthorized access. This ensures that only legitimate requests can access the application. | Development | Security Engineers, IT Operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1552) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |