Recently, some of our servers were being flagged for not implementing proper HTTP headers in a Qualys scan.
One of the sites that I visit regularly - http://pentestit.com has some good HTTP headers implemented:
HTTP/1.1 200 OK
Date Mon, 26 Jun 2017 23:05:15 GMT
Content-Type text/html; charset=UTF-8
Transfer-Encoding chunked
Connection keep-alive
Set-Cookie __cfduid=d7bd211d03cddfc95f5d3b27f75db3e151498518314; expires=Tue, 26-Jun-18 23:05:14 GMT; path=/; domain=.pentestit.com; HttpOnly
X-XSS-Protection 1;mode=block
Referrer-Policy no-referrer-when-downgrade
Link <http://wp.me/8tJeS>; rel=shortlink
Vary Accept-Encoding
X-Mod-Pagespeed pentestit.com
Cache-Control max-age=0, no-cache, no-store, must-revalidate
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-UA-Compatible IE=Edge,chrome=1
Pragma no-cache
Content-Language en
Server cloudflare-nginx
CF-RAY 3753cf6c01ed6c88-SJC
Except for Content-Security-Policy, it seems to be doing everything correctly.
What are your views about being failed for incorrect HTTP headers? I tried searching for information related to this, but was unable to find anything.
I think this should be definitely PCI fail as it tends to follow the OWASP top 10 which has A5-Security Misconfiguration (https://www.owasp.org/index.php/Top_10_2017-A5-Security_Misconfiguration).
My question is - should I be failed for not implementing correct HTTP and NOT HTTPS headers? I am doing every other thing correctly, but missing a few HTTP headers.