Skip to content

fix: add Referrer-Policy header check and update description#518

Open
balaakasam wants to merge 2 commits into
zaproxy:mainfrom
balaakasam:patch-1
Open

fix: add Referrer-Policy header check and update description#518
balaakasam wants to merge 2 commits into
zaproxy:mainfrom
balaakasam:patch-1

Conversation

@balaakasam

Copy link
Copy Markdown

Description

Adds a missing Referrer-Policy header check to the existing Multiple Security Header Check script and updates the metadata description to include it in the list of checked headers.

Changes

  • Added Referrer-Policy to the metadata description list
  • Added check for missing Referrer-Policy header with appropriate alert name, description, and solution

Why

The Referrer-Policy header is a modern security header recommended by OWASP and included in the OWASP Secure Headers Project. It was missing from this script while all other major security headers were already covered.

References

Signed-off-by: balaakasam <thripuraavula@gmail.com>
@psiinon

psiinon commented Jul 4, 2026

Copy link
Copy Markdown
Member

Logo
Checkmarx One – Scan Summary & Details2770dc5f-aa1e-4317-9190-7452fb0ba587


New Issues (1) Checkmarx found the following issues in this Pull Request
# Severity Issue Source File / Package Checkmarx Insight
1 MEDIUM CVE-2026-49844 Maven-org.apache.logging.log4j:log4j-api-2.24.2
detailsRecommended version: 2.24.3.redhat-00001
Description: Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JS...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

@kingthorin

Copy link
Copy Markdown
Member

Needs a spotlessApply.
Also the new addition may as well follow the array mechanism the original code already established for alert details.

Signed-off-by: balaakasam <thripuraavula@gmail.com>
@balaakasam

Copy link
Copy Markdown
Author

Thank you for the feedback @kingthorin. I've refactored the Referrer-Policy check to use the existing array mechanism consistent with the rest of the script. Please let me know if any further changes are needed, I can do so accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants