HTTP Response Headers

Captured from curl -sI https://app.acme.example/ on 2026-05-22

HTTP/2 200
server: Apache/2.4.41 (Ubuntu)
date: Thu, 22 May 2026 09:42:18 GMT
content-type: text/html; charset=UTF-8
content-length: 14829
etag: "39ed-58af9c2d2b500"
last-modified: Wed, 21 May 2026 18:08:42 GMT
cache-control: max-age=600
set-cookie: PHPSESSID=u9k2vc8jc8q4ll5un; path=/; HttpOnly

OWASP ASVS v4 §14.4 — security header baseline

Strict-Transport-Security
Content-Security-Policy
X-Content-Type-Options
X-Frame-Options
Referrer-Policy
Permissions-Policy

Cross-reference each one against the response above. List the ones that are absent.