← Back to Baseline

MB-R096

Security headers baseline enforced

C04 HTTPS & TLS Enforcement Medium

Storefront and admin responses should include a baseline set of browser security headers, including CSP or frame-ancestors, X-Content-Type-Options, Referrer-Policy, and other appropriate hardening headers. Missing headers increase exposure to clickjacking, content sniffing, data leakage, and script injection impact. Apply headers consistently at the application, web server, or edge layer.

Why it Matters

Browser security headers provide defense-in-depth against clickjacking, MIME sniffing, referrer leakage, downgrade attacks, and unsafe script behavior. Missing headers make successful browser-side attacks easier.

A Magento baseline should verify these headers across storefront, admin, checkout, and API responses, not just the homepage.

Verification Steps

Header check

curl -I https://mystore.com/ | egrep -i "strict-transport-security|x-content-type-options|referrer-policy|content-security-policy|frame"
curl -I https://mystore.com/checkout | egrep -i "strict-transport-security|content-security-policy"

Coverage review

# Check storefront, admin, checkout, static asset, and API responses

Remediation / Fix Guidance

  1. Enable HSTS after confirming HTTPS works across the domain.
  2. Set X-Content-Type-Options to nosniff.
  3. Set a deliberate Referrer-Policy.
  4. Use CSP and frame controls appropriate for storefront and payment pages.
  5. Apply headers consistently at CDN, load balancer, web server, or Magento layer.

Examples

Fail Example
HTTP response has no HSTS, CSP, Referrer-Policy, or nosniff header.
# Header baseline missing → FAIL
Pass Example
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
# Baseline present → PASS

References