Burp Suite User Forum

Create new post

Suggest updating header recommendations in Advisories

Emily | Last updated: Mar 27, 2024 04:46PM UTC

From "Frameable response (potential Clickjacking)", advisory recommends adding X-Frame-Options header but is it better to recommend Content Security Policy as the first choice and X-Frame-Options for compatibility support. From "Cacheable HTTPS Response", advisory recommends adding "Pragma: no cache" but it could maybe caveat that this header is deprecated and only used for HTTP/1.0 support.

Syed, PortSwigger Agent | Last updated: Mar 28, 2024 11:51AM UTC

Hi Emily,

You are right; it is better to recommend a CSP header, but in this issue, adding an X-Frame-Options header is enough to mitigate it.

For the Cacheable HTTPS Response vulnerability, you are right that the Cache-control header is used in more modern browsers, which is why it is mentioned in the advisory. The use of Pragma-cache is there as an extra layer of security as well as for apps that still use HTTP/1.0,

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.