Test Case for common security headers (X-XSS-Protection, X-Frame-Options, X-Content-Type-Options).
Given
HTTP GET or HEAD request on any URL.
Expected
In this template the HTTP Status returned is expected to be 200 (OK) and the following security headers are tested:
- X-XSS-Protection tested for value ‘1; mode=block’: this configuration blocks reflected cross-site scripting (XSS) attacks in some browsers
- X-Frame-Options tested for value ‘DENY’: this configuration blocks a browser from embedding a page in a frame, mainly to prevent clickjacking attacks.
- X-Content-Type-Options tested for value ‘nosniff’: this configuration tells the browser not to guess the content types of resources.
See also: