Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md

Moved Test Objectives before Common Security Header Misconfigurations
OWASP · Feb 8, 2025 · 1c366b4 · 1c366b4
1 parent e6d3138
commit 1c366b4
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/...ment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/...ment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md
@@ -8,6 +8,12 @@
 
 Security headers play a vital role in protecting web applications from a wide range of attacks, including Cross-Site Scripting (XSS), Clickjacking, and data injection attacks. These headers instruct the browser on how to handle security-related aspects of a website’s communication, reducing exposure to known attack vectors. However, misconfigurations can lead to vulnerabilities, weakening the intended security protections or rendering the existing security protections ineffective. This section outlines common security header misconfigurations, their risks, and how to properly test for them.
 
+## Test Objectives
+
+- Identify security headers that are improperly configured.
+- Assess the impact of misconfigured security headers.
+- Validate correct implementation of required security headers.
+
 ### Common Security Header Misconfigurations:
 - **Security Header with an Empty Value**: Headers present but lacking a value may be ignored by browsers, making them ineffective.
 - **Security Header with an Invalid Value or Name (Typos)**: Incorrect header names or misspellings result in headers not being recognized or enforced.
@@ -22,12 +28,6 @@ Security headers play a vital role in protecting web applications from a wide ra
 - **Breakage of Security Measures**: Duplicate headers may lead to unexpected behavior, with some browsers completley ignoring the HTTP security headers because of this.
 - **Legacy and Deprecated Headers**: Using obsolete security headers can introduce new attack vectors instead of securing the application.
 
-## Test Objectives
-
-- Identify security headers that are improperly configured.
-- Assess the impact of misconfigured security headers.
-- Validate correct implementation of required security headers.
-
 ## How to Test
 
 ### Fetch and Review HTTP Security Headers