Tech Click

← all labs

HTTP Response Headers — Find What's Missing

Medium Web Defense · A05:2021 25 min

Flag submissions require login via tc_sso. Reading instructions does not.

HTTP Headers Forensics

Scenario

You are doing a defensive review of https://app.acme.example/. The customer's CTO wants to know which security headers are missing per the OWASP ASVS v4 §14.4 baseline.

The actual HTTP response headers from the production app are in the right pane.

Objective

List the security headers that are completely absent from the response (not just misconfigured — totally missing).

Headers you must check for (full ASVS baseline):

| Header | Purpose | |---|---| | Strict-Transport-Security | Forces HTTPS, prevents downgrade attacks | | Content-Security-Policy | Mitigates XSS, clickjacking via injection | | X-Content-Type-Options | Stops MIME sniffing | | X-Frame-Options | Anti-clickjacking (older sibling of frame-ancestors) | | Referrer-Policy | Controls Referer leakage | | Permissions-Policy | Restricts browser feature access (camera/mic/geo) |

Answer format

Comma-separated, all lowercase, sorted alphabetically, no spaces:

content-security-policy,permissions-policy,referrer-policy,strict-transport-security,x-content-type-options

(That example shows 5 missing headers — the actual count may be different.)

Tips

  • A header that is present but with a weak/empty value is not counted here — we only want totally absent ones.
  • X-XSS-Protection is deprecated by modern browsers — do not include it even if missing.
  • Match header names exactly (case-insensitive — we'll lowercase your input before comparing).

Hints

Hint 1 (−10 pts)

Compare each header in the response against the ASVS table in the instructions. The headers present are: server, date, content-type, content-length, etag, last-modified, cache-control, set-cookie.

Hint 2 (−10 pts)

All 6 ASVS-baseline security headers are missing from this response. Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy. Submit them lowercase, comma-separated, alphabetical.

Hint 3 (−10 pts)

Full answer: content-security-policy,permissions-policy,referrer-policy,strict-transport-security,x-content-type-options,x-frame-options

Lab environment · sandboxed iframe · auto-resets every 60 min