diff --git a/docs/en/images/pen-test-alert-list-10.4.png b/docs/en/images/pen-test-alert-list-10.4.png new file mode 100644 index 00000000000..b86b64af75c Binary files /dev/null and b/docs/en/images/pen-test-alert-list-10.4.png differ diff --git a/docs/en/others/penetration-test-report.md b/docs/en/others/penetration-test-report.md index cc80d39b8eb..8ca58a57c9c 100644 --- a/docs/en/others/penetration-test-report.md +++ b/docs/en/others/penetration-test-report.md @@ -7,51 +7,25 @@ # ABP Penetration Test Report -The ABP Commercial MVC `v10.0.1` application template has been tested against security vulnerabilities by the [OWASP ZAP v2.14.0](https://www.zaproxy.org/) tool. The demo web application was started on the `https://localhost:44349` address. The below alerts have been reported by the pentest tool. These alerts are sorted by the risk level as high, medium, and low. The informational alerts are not mentioned in this document. +The ABP Commercial MVC `v10.4.0` application template has been tested against security vulnerabilities by the [OWASP ZAP v2.14.0](https://www.zaproxy.org/) tool. The demo web application was scanned on a local HTTPS address. The below alerts have been reported by the pentest tool. These alerts are sorted by the risk level as high, medium, and low. The informational alerts are not mentioned in this document. Many of these alerts are **false-positive**, meaning the vulnerability scanner detected these issues, but they are not exploitable. It's clearly explained for each false-positive alert why this alert is a false-positive. -In the next sections, you will find the affected URLs, attack parameters (request-body), alert descriptions, false-positive explanations, and fixes for the issues. Some positive alerts are already fixed or needed additional actions that can be taken by you. The issue links for the fixes are mentioned in each positive alert. +In the next sections, you will find the affected URLs, attack parameters (request-body), alert descriptions, false-positive explanations, and fixes for the issues. Some alerts need additional actions that can be taken by you. ## Alerts There are high _(red flag)_, medium _(orange flag)_, low _(yellow flag)_, and informational _(blue flag)_ alerts. -![penetration-test-10.0.1](../images/pen-test-alert-list-10.1.png) +![penetration-test-10.4.0](../images/pen-test-alert-list-10.4.png) > The informational alerts are not mentioned in this document. These alerts don't raise any risks for your application and they are optional. -### Cross Site Scripting (Reflected) [Risk: High] - Positive - -- *[GET] - https://localhost:44349/Identity/OrganizationUnits/AddMemberModal?title=SelectAUser&organizationUnitId=...&OrganizationUnitName=%3C%2Fh5%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E%3Ch5%3E* -- *[GET] - https://localhost:44349/Identity/OrganizationUnits/AddRoleModal?organizationUnitId=...&OrganizationUnitName=%3C%2Fh5%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E%3Ch5%3E* -- *[GET] - https://localhost:44349/Saas/Host/Tenants/ImpersonateTenantModal?tenantId=...&tenantName=%3C%2Fh5%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E%3Ch5%3E* - -**Description**: - -Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. - -**Explanation**: - -This is a **Positive** alert. The application reflects the `OrganizationUnitName` and `tenantName` parameters without proper encoding in the modal headers, allowing for the execution of arbitrary JavaScript. We have created an **internal issue** to track this vulnerability, and it will be fixed in the next release. - -### PII Disclosure [Risk: High] - False Positive - -- *[GET] - https://localhost:44349/* (Evidence: 639002492030480000) -- *[GET] - https://localhost:44349/?page=...* - -**Description**: - -The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data. - -**Explanation**: - -This is a **false-positive** alert. The detected numbers (e.g., `639002492030480000`) are cache-busting timestamps (`_v` parameter) generated by the framework for static assets. They coincidentally match the pattern of Credit Card numbers (pattern matching) but are not sensitive data. - ### Path Traversal [Risk: High] - False Positive -- *[GET] - https://localhost:44349/Account/Login?returnUrl=Login* -- *[GET] - https://localhost:44349/api/account/security-logs?action=\security-logs* +- *[GET] - https://localhost:44348/api/audit-logging/audit-logs?httpMethod=audit-logs&sorting=executionTime+desc&skipCount=0&maxResultCount=10* +- *[GET] - https://localhost:44348/Account/ForgotPassword?returnUrl=%5CForgotPassword* +- *[GET] - https://localhost:44348/Account/Login?ReturnUrl=%2FAccount%2FManage* **Description**: @@ -63,8 +37,9 @@ This is a **false-positive** alert. ABP Framework automatically validates `retur ### SQL Injection [Risk: High] - False Positive -- *[GET] - https://localhost:44349/AbpPermissionManagement/PermissionManagementModal?providerKey=AbpSolution16711_Swagger+AND+1%3D1+--+* -- *[GET] - https://localhost:44349/Account/Manage?CurrentPassword=ZAP%27+AND+%271%27%3D%271%27+--+* +- *[GET] - https://localhost:44348/api/audit-logging/audit-logs/entity-changes?entityTypeFullName=%27+AND+%271%27%3D%271%27+--+&sorting=changeTime+desc&skipCount=0&maxResultCount=10* +- *[GET] - https://localhost:44348/api/identity/claim-types?filter=&skipCount=0%27+AND+%271%27%3D%271%27+--+&maxResultCount=10* +- *[GET] - https://localhost:44348/api/language-management/language-texts?sorting=name+asc+AND+1%3D1+--+&skipCount=0&maxResultCount=10* **Description**: @@ -74,37 +49,14 @@ SQL injection may be possible. This is a **false-positive** alert. ABP Framework uses Entity Framework Core, which inherently uses parameterized queries, preventing standard SQL injection attacks. Manual verification showed that injecting SQL syntax into parameters like `providerKey` results in the input being treated as a literal string (resulting in no match or default behavior) rather than altering the query structure. -### SQL Injection - SQLite [Risk: High] - False Positive - -- *[POST] - https://localhost:44349/Account/ForgotPassword?returnUrl=%2FAccount%2FManage* (Attack: `case randomblob(100000) ...`) -- *[POST] - https://localhost:44349/FeatureManagement/FeatureManagementModal* - -**Description**: - -SQL injection may be possible. - -**Explanation**: +### Content Security Policy (CSP) Header Not Set [Risk: Medium] — Application Specific Configuration -This is a **false-positive** alert. Similar to the standard SQL Injection alert, the application uses parameterized queries. The detected delays are likely due to application processing variations or network latency rather than successful SQL injection. - -### Content Security Policy (CSP) Header Not Set [Risk: Medium] — Positive (Fixed) - -- *[GET] — https://localhost:44349* -- *[GET] — https://localhost:44349/AuditLogs* -- *[GET] — https://localhost:44349/CookiePolicy* -- *[GET] — https://localhost:44349/Gdpr/PersonalData* -- *[GET] — https://localhost:44349/Identity/ClaimTypes/{0}* (create & edit modal URLs - also there are other modal related URLs...) -- *[GET] — https://localhost:44349/AbpPermissionManagement/PermissionManagementModal?providerName=R&providerKey=role&providerKeyDisplayName=role* -- *[GET] — https://localhost:44349/Abp/MultiTenancy/TenantSwitchModal* -- *[GET] — https://localhost:44349/Account/AuthorityDelegation/AuthorityDelegationModal* -- *[GET] — https://localhost:44349/Account/AuthorityDelegation/DelegateNewUserModal* -- *[GET] — https://localhost:44349/Account/ForgotPassword _(other several account URLS)_* -- *[GET] — https://localhost:44349/Account/ExternalLogins _(other several account URLS)_* -- *[GET] — https://localhost:44349/Account/SecurityLogs _(other several account URLS)_* -- *[GET] — https://localhost:44349/Account/Login _(other several account URLS)_* -- *[GET] — https://localhost:44349/Account/Register _(other several account URLS)_* -- *[GET] — https://localhost:44349/Account/Manage _(other several account URLS)_* -- *[GET] — https://localhost:44349/Account/Sessions _(other several account URLS)_* +- *[GET] — https://localhost:44348/* +- *[GET] — https://localhost:44348/?page=%2FAccount%2F~%2FAccount%2FLogin* +- *[GET] — https://localhost:44348/Abp/MultiTenancy/TenantSwitchModal* +- *[GET] — https://localhost:44348/Account/ForgotPassword* +- *[GET] — https://localhost:44348/Account/Login _(other several account URLs)_* +- *[GET] — https://localhost:44348/Account/Register _(other several account URLs)_* **Description:** @@ -114,7 +66,7 @@ Content Security Policy (CSP) is an added layer of security that helps to detect Ensure that your web server, application server, load balancer, etc. are configured to set the `Content-Security-Policy` header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+, and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+. -This vulnerability has fixed in ABP v7.0. You can check the related issue from [github.com/abpframework/abp/issues/14173](https://github.com/abpframework/abp/issues/14173). You can configure the `AbpSecurityHeadersOptions` and set the `UseContentSecurityPolicyHeader` property as *true* to add the `Content-Security-Policy` header into your application: +ABP provides CSP support through `AbpSecurityHeadersOptions`, but `UseContentSecurityPolicyHeader` is `false` by default because each application may need a different CSP depending on scripts, styles, external identity providers, CDNs, and integrations. Configure `AbpSecurityHeadersOptions` and set the `UseContentSecurityPolicyHeader` property as *true* to add the `Content-Security-Policy` header into your application: ```csharp Configure(options => @@ -127,12 +79,9 @@ Configure(options => ### Format String Error [Risk: Medium] - False Positive -- *[GET] — https://localhost:44349/Abp/Languages/Switch?culture=ZAP%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%0A&returnUrl=%2F&uiCulture=ar* (with combination of different parameters) -- *[GET] — https://localhost:44349/Abp/ApplicationLocalizationScript?cultureName=ZAP%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%0A* (with combination of different parameters) -- *[GET] — https://localhost:44349/api/language-management/language-texts?filter=aa&resourceName=&baseCultureName=es&targetCultureName=ZAP%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%0A&getOnlyEmptyValues=false&sorting=name+asc&skipCount=0&maxResultCount=10* (with combination of different parameters) -- *[GET] — https://localhost:44349/LanguageManagement/Texts/Edit?name=IncorrectCaptchaAnswer&targetCultureName=sv&resourceName=AbpAccount&baseCultureName=ZAP%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%0A* (with combination of different parameters) -- *[POST] — https://localhost:44349/Account/Login?ReturnUrl=%2FSettingManagement* -- *[POST] — https://localhost:44349/Account/Manage* (with combination of different parameters) +- *[GET] — https://localhost:44348/Abp/ApplicationLocalizationScript?cultureName=ZAP%25n%25s%25n%25s%0A* (with combination of different parameters) +- *[GET] — https://localhost:44348/Abp/Languages/Switch?culture=ZAP%25n%25s%25n%25s%0A&returnUrl=%2F&uiCulture=en-GB* (with combination of different parameters) +- *[GET] — https://localhost:44348/Account/Login* (with combination of different parameters) **Description:** @@ -152,9 +101,9 @@ The second URL is also a **false-positive** alert because there is no bad charac ### XSLT Injection [Risk: Medium] - False Positive -- *[GET] — https://localhost:44349/Abp/Languages/Switch?culture=%3Cxsl%3Avalue-of+select%3D%22system-property%28%27xsl%3Avendor%27%29%22%2F%3E&returnUrl=%2F&uiCulture=tr _(same URL with different parameters...)_* -- *[POST] — https://localhost:44349/Account/ForgotPassword _(same URL with different parameters...)_* -- *[GET] — https://localhost:44349/SaasWidgets/LatestTenants _(same URL with different parameters...)_* +- *[GET] — https://localhost:44348/api/openiddict/applications?id=%3Cxsl%3Avalue-of+select%3D%22system-property%28%27xsl%3Avendor%27%29%22%2F%3E _(same payload with different parameters...)_* +- *[GET] — https://localhost:44348/Abp/Languages/Switch?culture=%3Cxsl%3Avalue-of+select%3D%22system-property%28%27xsl%3Avendor%27%29%22%2F%3E&returnUrl=%2F&uiCulture=en-GB _(same payload with different parameters...)_* +- *[GET] — https://localhost:44348/?page=%3Cxsl%3Avalue-of+select%3D%22system-property%28%27xsl%3Avendor%27%29%22%2F%3E _(same payload with different parameters...)_* **Description**: @@ -162,16 +111,11 @@ Injection using XSL transformations may be possible and may allow an attacker to **Explanation**: -This is a **false-positive** alert. v9.0 uses .NET 9 and the XSLT transformation is not possible on .NET5 or higher. +This is a **false-positive** alert. ABP v10.4.x uses .NET 10, and the scanned endpoints do not execute user-supplied XSLT. The local validation did not expose XSLT execution or system property output. ### Application Error Disclosure [Risk: Low] — False Positive -- *[POST] — https://localhost:44349/Account/ImpersonateUser* -- *[GET] — https://localhost:44349/Account/ExternalLogins* -- *[GET] — https://localhost:44349/OrganizationUnits* -- *[GET] — https://localhost:44349/HostDashboard* -- *[GET] — https://localhost:44349/Saas/Host/Editions* -- *[GET] — https://localhost:44349/Saas/Host/Tenants* +- *[GET] — https://localhost:44348/Account/ExternalLogins* **Description:** @@ -179,35 +123,34 @@ The reported pages contain an error/warning message that may disclose sensitive **Explanation:** -This vulnerability was reported as a **positive** alert because the application ran in `Development` mode. ABP throws exceptions for developers in the `Development` environment. We set the environment to `Production` and re-run the test, then the server sent a *500-Internal Error* without the error disclosed. Therefore this alert is **false-positive**. Further information can be found in the following issue: [github.com/abpframework/abp/issues/14177](https://github.com/abpframework/abp/issues/14177#issuecomment-1268206947). +This vulnerability was reported as a **positive** alert because the application ran in `Development` mode. ABP throws exceptions for developers in the `Development` environment. Production mode returned a generic error page in the local validation, without framework stack traces or database details. Therefore this alert is **false-positive** for production deployments. Further information can be found in the following issue: [github.com/abpframework/abp/issues/14177](https://github.com/abpframework/abp/issues/14177#issuecomment-1268206947). ### Cookie No `HttpOnly` Flag [Risk: Low] — Positive (No need for a fix) -* *[GET] — https://localhost:44349 (and other several URLs...)* -* *[GET] — https://localhost:44349/Abp/Languages/Switch?culture=ar&returnUrl=%2FAccount%2FForgotPassword%3FreturnUrl%3D%2522%252F%253E%253Cxsl%253Avalue-of%2520select%253D%2522system-property(%2527xsl%253Avendor%2527)%2522%252F%253E%253C!--&uiCulture=ar (and other several URLs...)* -* *[GET] — https://localhost:44349/Abp/ApplicationConfigurationScript* +* *[GET] — https://localhost:44348 (and other several URLs...)* +* *[GET] — https://localhost:44348/Abp/Languages/Switch?culture=ar&returnUrl=%2FAccount%2FForgotPassword%3FreturnUrl%3D%2522%252F%253E%253Cxsl%253Avalue-of%2520select%253D%2522system-property(%2527xsl%253Avendor%2527)%2522%252F%253E%253C!--&uiCulture=ar (and other several URLs...)* +* *[GET] — https://localhost:44348/Abp/ApplicationConfigurationScript* **Description:** -A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections. +A cookie has been set without the `HttpOnly` flag, which means that the cookie can be accessed by JavaScript running in the browser. **Explanation:** The following alert is related to the next alert. Therefore, to understand this alert, you can take a look at the next alert: _Cookie Without Secure Flag [Risk: Low]_ -### Cookie Without Secure Flag [Risk: Low] — Positive (No need for a fix) +### Cookie Without Secure Flag [Risk: Low] — Application/Deployment Review Required -* *[GET] — https://localhost:44349 (and other several URLs...)* -* *[GET] — https://localhost:44349/Abp/Languages/Switch?culture=ar&returnUrl=%2F%3Fpage%3D% (same url with different query parameters...)* +* *[GET] — https://localhost:44348 (and other several URLs...)* +* *[GET] — https://localhost:44348/Abp/Languages/Switch?culture=ar&returnUrl=%2F%3Fpage%3D% (same url with different query parameters...)* -**Description:** A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections. The following cookies don't have an `httponly` flag. +**Description:** A cookie has been set without the `Secure` flag, which means that the cookie can be sent over unencrypted HTTP connections. -* `XSRF-TOKEN` (Anti CSRF token cookie) -* `.AspNetCore.Culture` (ASP.NET Core culture cookie) +The ZAP report includes JavaScript-readable and UI preference cookies in this category. The local HTTPS validation found `XSRF-TOKEN` with `Secure=true` and `SameSite=None`, and found UI/local antiforgery cookies without `Secure` on localhost. Review the final production deployment and reverse proxy settings to ensure security-sensitive cookies are only sent over HTTPS. **Explanation:** -All the pages that are setting the `XSRF-TOKEN` and `.AspNetCore.Culture` cookies in the HTTP response are reported as "No `HttpOnly` Flag" vulnerability. This is a **positive-alert**. +All the pages that are setting the `XSRF-TOKEN` and `.AspNetCore.Culture` cookies in the HTTP response can be reported in cookie flag alerts. This is expected for cookies that must be read by client-side code, but production deployments should still verify the `Secure` and `SameSite` attributes for each cookie. > **Note for IDS4 users**: The `idsrv.session` cookie is being used in IDS4 and after ABP 6.x, ABP switched to OpenIddict ([github.com/abpframework/abp/issues/7221](https://github.com/abpframework/abp/issues/7221)). Therefore, this cookie is not being used in the current startup templates and you can ignore this note if you have created your application after v6.0+. However, if you are still using Identity Server 4, there is an issue related to the `idsrv.session` cookie, it cannot be set as `HttpOnly`; you can see the related thread at its own repository: [github.com/IdentityServer/IdentityServer4/issues/3873](https://github.com/IdentityServer/IdentityServer4/issues/3873) @@ -233,10 +176,10 @@ The related issue for this alert can be found at [github.com/abpframework/abp/is ### Cookie with SameSite Attribute None [Risk: Low] — Positive (No need for a fix) -* *[GET] — https://localhost:44349 (and other several URLs...)* -* *[GET] — https://localhost:44349/Abp/ApplicationConfigurationScript* -* *[GET] — https://localhost:44349/Account/ForgotPassword (and there are several URLs)* -* *[GET] — https://localhost:44349/Abp/Languages/Switch?culture=ar&returnUrl=%2F%3Fpage%3D%252FAccount%252F%7E%252FAccount%252FLogin&uiCulture=a (and other several URLs...)* +* *[GET] — https://localhost:44348 (and other several URLs...)* +* *[GET] — https://localhost:44348/Abp/ApplicationConfigurationScript* +* *[GET] — https://localhost:44348/Account/ForgotPassword (and there are several URLs)* +* *[GET] — https://localhost:44348/Abp/Languages/Switch?culture=ar&returnUrl=%2F%3Fpage%3D%252FAccount%252F%7E%252FAccount%252FLogin&uiCulture=a (and other several URLs...)* **Description:** @@ -250,7 +193,7 @@ Ensure that the `SameSite` attribute is set to either `lax` or ideally `strict` ### Cookie without `SameSite` Attribute [Risk: Low] — Positive (No need for a fix) -* *[GET] — https://localhost:44349/Abp/Languages/Switch?culture=ar&returnUrl=%2F&uiCulture=ar _(and other several URLs with different query parameters...)_* +* *[GET] — https://localhost:44348/Abp/Languages/Switch?culture=ar&returnUrl=%2F&uiCulture=ar _(and other several URLs with different query parameters...)_* **Description:** @@ -262,17 +205,12 @@ Ensure that the `SameSite` attribute is set to either `lax` or ideally `strict` -### Strict-Transport-Security Header Not Set [Risk: Low] - False Positive +### Strict-Transport-Security Header Not Set [Risk: Low] - Production/Deployment Setting -- *[DELETE] — https://localhost:44349/api/feature-management/features?providerName=E&providerKey=49dfb08f-f5ed-0b61-8d37-3a0fc6b61679* -- *[DELETE] — https://localhost:44349/api/identity/claim-types/4c580525-c08f-9280-f729-3a0fc6b9c3fa* -- *[DELETE] — https://localhost:44349/api/account/sessions/de2f8683-f8f4-d3bb-6b7e-3a138af89d1f* -- *[DELETE] — https://localhost:44349/api/language-management/languages/6b311a44-65bd-14ea-1a21-3a0e778b41d5* -- *[DELETE] — https://localhost:44349/api/saas/tenants/c77b1554-5837-3303-9983-3a0e77824bb3* -- *[DELETE] — https://localhost:44349/api/openiddict/scopes?id=af5a66e2-7cbb-cf69-7301-3a0fc6bb0ebf* -- *[GET] — https://localhost:44349/* -- *[GET] — https://localhost:44349/Abp/ApplicationConfigurationScript* -- *[GET] — https://localhost:44349/Abp/ApplicationLocalizationScript?cultureName=zh-Hant* +- *[GET] — https://localhost:44348/* +- *[GET] — https://localhost:44348/Abp/ApplicationConfigurationScript* +- *[GET] — https://localhost:44348/Abp/ApplicationLocalizationScript?cultureName=zh-Hant* +- *[DELETE] — https://localhost:44348/api/feature-management/features?providerName=E&providerKey=...* - other URLS... **Description**: @@ -285,14 +223,13 @@ Enabling HSTS on production. **Explanation**: -This vulnerability was reported as a positive alert because the application ran in `Development` mode. We enable HSTS on `Production` mode as can be seen in the image below, therefore this is a **false-positive** alert. +This alert is production/deployment dependent. The generated MVC template calls `UseHsts()` when the environment is not `Development`, but ASP.NET Core does not emit HSTS for localhost. Verify that HSTS is enabled and reaches the browser in the final production hosting topology. ![HSTS](../images/pen-test-hsts.png) ### Timestamp Disclosure - Unix [Risk: Low] - False Positive -- *[GET] — https://localhost:44349/libs/zxcvbn/zxcvbn.js?=* -- *[GET] — https://localhost:44349/libs/sweetalert2/sweetalert2.all.min.js?=* +- *[GET] — https://localhost:44348/libs/zxcvbn/zxcvbn.js?_v=638362269519660000* **Description**: @@ -306,13 +243,12 @@ Manually confirm that the timestamp data is not sensitive, and that the data can This vulnerability was reported as a positive alert, because ABP uses the [zxcvbn](https://github.com/dropbox/zxcvbn) library for [password complexity indicators](../framework/ui/angular/password-complexity-indicator-component.md). This library is one of the most used password strength estimator and it does not disclosure any sensitive data related to web server's timestamp and therefore it's a **false-positive** alert. -### X-Content-Type-Options Header Missing [Risk: Low] - Positive (Fixed) +### X-Content-Type-Options Header Missing [Risk: Low] - Needs Review for Static/Deployment Paths -- *[GET] — https://localhost:44349/client-proxies/account-proxy.js?_v=638550091940000000 (and other client-proxies related URLs...)* -- *[GET] — https://localhost:44349/favicon.svg* -- *[GET] — https://localhost:44349/images/getting-started/bg-01.png* (and other image URLs...) -- *[GET] — https://localhost:44349/global-styles.css?_v=638556076064360335* -- *[GET] — https://localhost:44349/libs/@fortawesome/fontawesome-free/css/all.css?_v=%5CWEB-INF%5Cweb.xml (other several URLs...)* +- *[GET] — https://localhost:44348/client-proxies/account-proxy.js?_v=639159181980000000 (and other client-proxies related URLs...)* +- *[GET] — https://localhost:44348/favicon.svg* +- *[GET] — https://localhost:44348/LeptonX/images/login-pages/login-bg-img-dark.svg* +- *[GET] — https://localhost:44348/libs/abp/aspnetcore-mvc-ui-theme-shared/authentication-state/authentication-state-listener.js?_v=639158976700000000* - other URLs... **Description**: @@ -327,6 +263,6 @@ If possible, ensure that the end user uses a standards-compliant and modern web **Explanation**: -The `X-Content-Type-Options` header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured. This headeer is not strictly required, but it is highly recommended for security reasons. While modern browsers have improved security features, you can still set this header for ensuring the security of web applications. +The `X-Content-Type-Options` header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured. This header is not strictly required, but it is highly recommended for security reasons. While modern browsers have improved security features, you can still set this header for ensuring the security of web applications. -You can add the [ABP's Security Header Middleware](../framework/ui/mvc-razor-pages/security-headers.md#security-headers-middleware) into the request pipeline to set the `X-Content-Type-Options` as *no-sniff*. Also, this middleware adds other pre-defined security headers to your application, including `X-XSS-Protection`, `X-Frame-Options` and `Content-Security-Policy` (if it's enabled). Read [Security Headers](../framework/ui/mvc-razor-pages/security-headers.md) documentation for more info. +The fresh local validation confirmed that [ABP's Security Header Middleware](../framework/ui/mvc-razor-pages/security-headers.md#security-headers-middleware) emits `X-Content-Type-Options: nosniff` for checked MVC pages and scripts. Since the ZAP report still listed missing headers for several client proxy and static asset URLs, verify static-file handling, proxy/CDN behavior, and any custom middleware ordering in the final application. This middleware also adds other pre-defined security headers, including `X-XSS-Protection`, `X-Frame-Options` and `Content-Security-Policy` (if it's enabled). Read [Security Headers](../framework/ui/mvc-razor-pages/security-headers.md) documentation for more info.