This project is read-only.

NEW CHECK - X-Download-Options


The check would see if the Content-Disposition header exists in the response and verify that the 'X-Download-Options: noopen' header is present.


ericlaw1979 wrote Apr 1, 2014 at 4:42 PM

Curious: What threat do you aim to mitigate with X-Download-Options? Generally, this header isn't required for any security purpose, and even if it were, it would be related to the MIME type of the target resource.

chrisweber wrote Apr 1, 2014 at 5:32 PM

Here's some background info ;)

Ya, I think it that the security-usefulness of this would be very context-specific, and probably generate a lot of false positives. I should probably go ahead and close this one, it was never implemented as a check.

ericlaw1979 wrote Apr 3, 2014 at 8:21 PM

Well played, Chris, well played. :-)