The following HTTP headers should be a standard implemented practice on web servers. If performing a penetration test and server lack any of the following headers:
- HSTS (HTTP Strict Transport Security)
X-Frame-Options: The X-Frame-Options HTTP header allows content publishers to prevent their own content from being used in an invisible frame by attackers.
HTTP Strict Transport Security: The HTTP Strict-Transport-Security response header informs browser that the site should only be accessed using HTTPS and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
X-XSS-Protection: The HTTP X-XSS-Protection response header stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Cache-Control: The Cache-Control HTTP header is a header used to specify browser caching policies in both client requests and server responses. Policies include how a resource is cached, where it is cached, and its maximum age before expiring.
Content-Security-Policy: The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. This helps guard against cross-site scripting attacks (XSS).