-
HTTPOnly not Set on Application Cookie
session.php line:151 Vulnerable Snippet
line:151 'secure' => false, -
Free proxy issue
app/config/custom.php Vulnerable Snippet
free proxy would be leak information in the internet. -
X-Frame-Options
app/config/cors.php line: 31 Vulnerable Snippet
without set X-Frame-Options in the header. this weakness could be exploit by the clickjacking. ref: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
I've been tasked with resolving these issues but am not familiar with the frameworks used. Any direction would be appreciated.
- i imagine just setting true is the solution.
- there is just a list of ip:port. would i need to eliminate the need for those services
-
The issue reported is with allowed headers.
'paths' => [ 'api/' => [ 'allowedOrigins' => [''], 'allowedHeaders' => ['Origin', 'X-Requested-With', 'Authorization', 'Content-Type', 'Accept', 'X-Locale-Id'], 'allowedMethods' => ['POST', 'PUT', 'OPTIONS', 'GET', 'DELETE'], 'maxAge' => 3600, ], This is a service for an iOS app, and has a web admin panel So shouldn't be embedded in any frames. Should i be able to just add the deny option.
If there is a good resource for any of this info that would also be appreciated thank you.
via Sean Carlisle
