[http] [info] hints back for each of the http-missing-security-headers errors #4347
-
I am testing my own caddy server for problems locally. I ran a single scan and got some errors back. I was wondering if there is a way to get the [http] [info] hints back for each of the http-missing-security-headers errors ? Then I could find out what I need to do to remove these errors. nuclei -u https://browse.localhost/
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.0.3
projectdiscovery.io
[INF] Current nuclei version: v3.0.3 (latest)
[INF] Current nuclei-templates version: v9.6.8 (latest)
[INF] New templates added in latest release: 79
[INF] Templates loaded for current scan: 7205
[INF] Executing 7220 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1236 (Reduced 1205 Requests)
[caa-fingerprint] [dns] [info] browse.localhost
[INF] Using Interactsh Server: oast.me
[fingerprinthub-web-fingerprints:apilayer-caddy] [http] [info] https://browse.localhost/
[tech-detect:caddy] [http] [info] https://browse.localhost/
[http-missing-security-headers:clear-site-data] [http] [info] https://browse.localhost/
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] https://browse.localhost/
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] https://browse.localhost/
[http-missing-security-headers:x-frame-options] [http] [info] https://browse.localhost/
[http-missing-security-headers:x-content-type-options] [http] [info] https://browse.localhost/
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] https://browse.localhost/
[http-missing-security-headers:referrer-policy] [http] [info] https://browse.localhost/
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] https://browse.localhost/
[http-missing-security-headers:strict-transport-security] [http] [info] https://browse.localhost/
[http-missing-security-headers:content-security-policy] [http] [info] https://browse.localhost/
[http-missing-security-headers:permissions-policy] [http] [info] https://browse.localhost/
[waf-detect:ats] [http] [info] https://browse.localhost/
[ssl-dns-names] [ssl] [info] browse.localhost:443 [browse.localhost]
[tls-version] [ssl] [info] browse.localhost:443 [tls12]
[tls-version] [ssl] [info] browse.localhost:443 [tls13] |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
The name of the missing https headers you have there are in the results after the colon in The severity of not having those headers can vary, but it's up to you which you really want to keep and which you feel need to be present. Here's a list of all http headers and more info about them: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers |
Beta Was this translation helpful? Give feedback.
The name of the missing https headers you have there are in the results after the colon in
http-missing-security-headers:
. This just means that these are missing in the site it's scanning. You'd just add those headers to your site.The severity of not having those headers can vary, but it's up to you which you really want to keep and which you feel need to be present. Here's a list of all http headers and more info about them: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers