{PRODUCT} detected that password data is being transmitted over HTTP.
{PRODUCT} detected that insecure transportation security protocol (SSLv3) is supported by your web server.
SSLv3 has several flaws. An attacker can cause connection failures and they can trigger the use of SSL 3.0 to exploit vulnerabilities like POODLE.
Configure your web server to disallow using weak ciphers. You need to restart the web server to enable changes.
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
nginx.conf file and remove SSLv3.ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
regedt32 or regedit, and then click OK.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\
Server or create if it doesn't exist.Server key, locate a DWORD value named Enabled or create if it doesn't exist and set its value to "0".ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable"
{PRODUCT} detected that autocomplete is enabled in one or more of the form fields which might contain sensitive information like "username", "credit card" or "CVV".
{PRODUCT} identified that the target web server is disclosing the Ruby version in its HTTP response. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Ruby.
{PRODUCT} identified that the target web server is disclosing the WEBrick version in its HTTP response. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of WEBrick.
{PRODUCT} detected that insecure transportation security protocol (TLS 1.0) is supported by your web server.
TLS 1.0 has several flaws. An attacker can cause connection failures and they can trigger the use of TLS 1.0 to exploit vulnerabilities like BEAST (Browser Exploit Against SSL/TLS).
Websites using TLS 1.0 will be considered non-compliant by PCI after 30 June 2018.
Configure your web server to disallow using weak ciphers. You need to restart the web server to enable changes.
SSLProtocol +TLSv1.1 +TLSv1.2
nginx.conf file and remove TLSv1.ssl_protocols TLSv1.1 TLSv1.2;
regedt32 or regedit, and then click OK.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\
Server or create if it doesn't exist.Server key, locate a DWORD value named Enabled or create if it doesn't exist and set its value to "0".{PRODUCT} detected a Robots.txt file with potentially sensitive content.
Robots.txt, and ensure they are correctly protected by means of authentication.Robots.txt is only used to instruct search robots which resources should be indexed and which ones are not.
User-Agent: *
Allow: /web/
Disallow: /
Please note that when you use the instructions above, search engines will not index your website except for the specified directories.
If you want to hide certain section of the website from the search engines X-Robots-Tag can be set in the response header to tell crawlers whether the file should be indexed or not:
X-Robots-Tag: googlebot: nofollow
X-Robots-Tag: otherbot: noindex, nofollow
By using X-Robots-Tag you don't have to list the these files in your Robots.txt.
It is also not possible to prevent media files from being indexed by putting using Robots Meta Tags. X-Robots-Tag resolves this issue as well.
For Apache, the following snippet can be put into httpd.conf or an .htaccess file to restrict crawlers to index multimedia files without exposing them in Robots.txt
<Files ~ "\.pdf$">
# Don't index PDF files.
Header set X-Robots-Tag "noindex, nofollow"
</Files>
<Files ~ "\.(png|jpe?g|gif)$">
#Don't index image files.
Header set X-Robots-Tag "noindex"
</Files>
{PRODUCT} detected that autocomplete is enabled in one or more of the password fields.
{PRODUCT} identified the target web site is using Ruby and detected that it is out of date.
Please upgrade your installation of Ruby to the latest stable version.
{PRODUCT} identified the target web site is using jQuery and detected that it is out of date.
Please upgrade your installation of jQuery to the latest stable version.
{PRODUCT} identified the target web site is using jQuery UI Dialog and detected that it is out of date.
Please upgrade your installation of jQuery UI Dialog to the latest stable version.
{PRODUCT} identified the target web site is using jQuery UI Autocomplete and detected that it is out of date.
Please upgrade your installation of jQuery UI Autocomplete to the latest stable version.
{PRODUCT} identified the target web site is using jQuery UI Tooltip and detected that it is out of date.
Please upgrade your installation of jQuery UI Tooltip to the latest stable version.
{PRODUCT} detected a missing X-XSS-Protection header which means that this website could be at risk of a Cross-site Scripting (XSS) attacks.
X-XSS-Protection: 1; mode=block
The page you were trying to access doesn't exist or has been removed.
]]>Cookies are typically sent to third parties in cross origin requests. This can be abused to do CSRF attacks. Recently a new cookie attribute named SameSite was proposed to disable third-party usage for some cookies, to prevent CSRF attacks.
Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.
The server can set a same-site cookie by adding the SameSite=... attribute to the Set-Cookie header:
Set-Cookie: key=value; SameSite=strict
There are two possible values for the same-site attribute:
In the strict mode, the cookie is not sent with any cross-site usage even if the user follows a link to another website. Lax cookies are only sent with a top-level get request.
CSP is a added layer of security against that helps to mitigate mainly Cross-site Scripting attacks.
CSP can be enabled instructing the browser with a Content-Security-Policy directive in a response header;
Content-Security-Policy: script-src 'self';or in a meta tag;
<meta http-equiv="Content-Security-Policy" content="script-src 'self';"> In the above example, you can restrict script loading only to same domain. It will also restrict inline script executions both in element attribute and event handler. There are various directives which you can use declaring CSP:
When setting the CSP directives, you can also use some CSP keywords:
eval().In addition to CSP keywords, you can also use wildcard or only a schema when defining whitelist URLs for the points. Wildcard can be used for subdomain and port portions of the URLs:
Content-Security-Policy: script-src https://*.example.com;
Content-Security-Policy: script-src https://example.com:*;
Content-Security-Policy: script-src https;It is also possible to set a CSP in Report-Only mode instead of forcing it immediately in the migration period. Thus you can see the violations of the CSP policy in the current state of your web site while migrating to CSP:
Content-Security-Policy-Report-Only: script-src 'self'; report-uri: https://example.com;Enable CSP on your website by sending the Content-Security-Policy in HTTP response headers that instruct the browser to apply the policies you specified.