The Overreporting of Low-Impact Security Headers in Pentesting Reports

By /

Listen to this Post

In 2025, many pentesting reports still flag missing security headers as “medium-risk findings,” even when they pose minimal actual risk. Examples include:
– Reporting missing CSP (Content Security Policy) on a REST API returning JSON.
– Flagging absent HTTPOnly on an API using JWT Bearer tokens.
– Marking missing HSTS as medium-risk despite SSL pinning being implemented.

Instead of inflating reports with low-impact issues, pentesters should prioritize findings that represent real risks.

You Should Know:

1. When Security Headers Matter

  • CSP: Critical for web apps rendering HTML/CSS/JS but irrelevant for JSON APIs. 
    Check CSP header via curl 
curl -I https://example.com | grep -i "Content-Security-Policy"
  • HTTPOnly: Only useful for cookie-based auth, not token-based (e.g., JWT). 
    Verify cookies with HTTPOnly flag 
curl -I https://example.com/login | grep -i "Set-Cookie"
  • HSTS: Redundant if SSL pinning is enforced. Validate with: 
    curl -I https://example.com | grep -i "Strict-Transport-Security"

2. Commands to Audit Headers

  • Linux/Windows (PowerShell): 
    PowerShell alternative 
Invoke-WebRequest -Uri "https://example.com" -Method Head | Select-Object -Expand Headers
  • Automated Scanning (Python): 
    import requests 
response = requests.head("https://example.com") 
print(response.headers)

3. CVSS Manipulation Pitfalls

Forcing CVSS scores for low-risk issues misleads clients. Use tools like `cvss-calculator` (Linux): 

 Install CVSS calculator (Debian) 
sudo apt install cvss-calculator 
cvss-calculator "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"  Example vector

What Undercode Say:

Overreporting trivial findings dilutes pentest value. Focus on:

  • Real threats (e.g., IDOR, SSRF, RCE).
  • Context-aware hardening (e.g., CSP for web UIs, not APIs).
  • Transparent scoping (e.g., “Tested X endpoints, no critical flaws found”).

Commands to Prioritize:

 Hunt for critical vulns (Linux) 
nmap --script vuln -p 443,80 example.com 
gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txt

Expected Output:

A concise report excluding noise, with actionable findings and justified risk ratings.

URLs for Reference:

References:

Reported By: Bernardo Viqueira – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: