Comment by bawolff
1 day ago
Honestly, i disagree with the security headers one. Various security headers do different things and should not be applied blindly. While some are always appropriate there are also some that make sense to skip depending on what specificly your site is doing.
Not to mention, when i looked at the hall of fame entries, most had a CSP header, but it was a useless CSP header that was meaningless. It doesn't seem to distinguish between having the header and actually using it correctly.
This was always my pet peeve when working as a penetration tester. We'd run simple tools like this to cover the basics, but so many coworkers would blindly copy paste the issues without considering the site's context and suitability. Not to knock their skills, they'd find real vulnerabilities too. It's just that this stuff was considered beneath them, while I felt that giving a client tailored advice on little details like this is what they were looking for and shows attention to detail.
As a security conscious dev that has worked in various highly regulated spaces I want to say we really appreciate people like you, because they’re super rare
It's seriously infuriating receiving these "Critical vulnerability reports" customers let other agencies do, and having to justify why you have no Referer-Policy header.
Nice to read that you are reasonable.
Also, they want a strict CSP while serving 10 different ad networks :)