security_headers MEDIUM finding `--`
Closed this issue · 4 comments
Hi,
Using this testssl version:
"at" : "testssl:/home/testssl/bin/openssl.Linux.x86_64",
"version" : "3.2.1 ",
"openssl" : "OpenSSL 1.0.2-bad from Fri Mar 28 16:54:51 2025",
We are seeing this in the output report and we are trying to understand what the issue means.
Does it mean no security headers (HTTPS) found?
But when testing against REST API endpoints, how testssl can verify the HTTPS security headers without sending a proper/valid HTTP request (which I do not think it does)?
},{
"id" : "security_headers",
"severity" : "MEDIUM",
"finding" : "--"
},{
Thanks in advance for the help.
It means like there none found and that is labeled as a medium finding.
That is one of the findings where a human needs to interpret, as it depends on what you're running. API clients should be fine, browsers probably not. The latter depends on the URL also...
Thanks @drwetter
But if we point testssl to the root URL of our app/SSL endpoint and if testssl does not send any proper HTTP payload to the proper expected HTTP endpoint, very likely that it will just get a default/error page for which it is also very likely that some of the security HTTP headers are not set.
I guess a better question would be what testssl does (what kind of HTTP requests does it send and to which URLs) when testing for these headers so we can try to manually reproduce the issue and see if this is really a problem or not.
As said, if you're running an API (e.g. not GraphQL which is for browser) it doesn't matter.
Other than that testssl.sh sends a GET request to the URL you specified.