Http Missing Upgrade Insecure Requests

Description

Detects if a web application is missing the Upgrade-Insecure-Requests security header or equivalent CSP directive. This header protects users by instructing browsers to upgrade HTTP requests to HTTPS, preventing potential downgrade attacks and data exposure over insecure connections.

Weakness:

043 - Insecure or unset HTTP headers - Content-Security-Policy

Category: Protocol Manipulation

Detection Strategy

• Check if the 'Upgrade-Insecure-Requests' HTTP header is absent from the response

• If the header is missing, check if Content-Security-Policy (CSP) header contains 'upgrade-insecure-requests' directive

• Report vulnerability if neither the dedicated header nor CSP directive are present

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.