Security Headers

Test Case for common security headers (X-XSS-Protection, X-Frame-Options, X-Content-Type-Options).

Given

HTTP GET or HEAD request on any URL.

Expected

In this template the HTTP Status returned is expected to be 200 (OK) and the following security headers are tested:

• X-XSS-Protection tested for value ‘1; mode=block’: this configuration blocks reflected cross-site scripting (XSS) attacks in some browsers
• X-Frame-Options tested for value ‘DENY’: this configuration blocks a browser from embedding a page in a frame, mainly to prevent clickjacking attacks.
• X-Content-Type-Options tested for value ‘nosniff’: this configuration tells the browser not to guess the content types of resources.

More information

See also:

• X-XSS-Protection (MDN)
• X-Frame-Options (RFC 7034)
• X-Content-Type-Options (MDN)