This website uses cookies to analyze traffic. We only share this information with our analytics partners.
Verify that the application server only accepts the HTTP methods in use by the application/API, including pre-flight OPTIONS, and logs/alerts on any requests that are not valid for the application context.
Level 1 required: True
Level 2 required: True
Level 3 required: True
CWE: 749
Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker.
Level 1 required: True
Level 2 required: True
Level 3 required: True
CWE: 346
Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted domains and subdomains to match against and does not support the "null" origin.
Level 1 required: True
Level 2 required: True
Level 3 required: True
CWE: 346
Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application.
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 306
Credit via OWASP ASVS. For more information visit The OWASP ASVS Project or Github respository.. OWASP ASVS is under the Creative Commons Attribution-Share Alike v3.0 license.
Loading comments 30%