: When should I not to use page meta security headers When should I not to use page meta security headers? For example, I configured the web server server-side with a powerful content security
When should I not to use page meta security headers?
For example, I configured the web server server-side with a powerful content security policy and other hardened security headers, but when review my Security research, assessment, analytics of my Page meta security headers they fail?
What I think is the difference between page meta and server-side headers is page meta is page per page meaning and server-side is global. So should I define the unsecure page meta header results as a false positive or bug?
More posts by @Bryan171
1 Comments
Sorted by latest first Latest Oldest Best
I think you are asking about a conflict between HTTP headers versus page meta elements, correct? If yes, you should use HTTP headers and remove the page meta elements (at least the ones for security) as they are unnecessary.
HTTP headers take priority over page meta elements, and HTTP headers are cached by intermediate proxies but page meta elements may not be.
If you are using a scanning tool that expects to see a certain page meta element in the <head> that you properly configured as a HTTP header, you can consider that a bug with the scanner and keep using the HTTP header.
Here is a good resource for testing your HTTP headers: securityheaders.io
Also, here is a good resource for configuring your Content Security Policy: content-security-policy.com
If you have a specific error you need help with then please edit your question with the error message, otherwise refer to the general guidance above.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.