Missing X-Permitted-Cross-Domain-Policies
Description
The X-Permitted-Cross-Domain-Policies header instructs Adobe Flash Player, PDF readers, and other cross-domain request contexts on whether to load data from your domain. Without it, default or overly permissive cross-domain policies might allow malicious sites to request resources or sensitive data, particularly if legacy plugins or ActiveX controls are in use. Attackers could exploit this openness to perform unauthorized actions or embed your content in malicious contexts, enabling data leakage or unintended interactions. Furthermore, unregulated cross-domain policies can facilitate phishing or clickjacking attacks by rendering external domains as if they were trusted. Ultimately, failing to set an appropriate X-Permitted-Cross-Domain-Policies header increases your exposure to cross-domain exploitation scenarios.
Remediation
Configure the X-Permitted-Cross-Domain-Policies header in your server or application settings to enforce strict or none policies. Common values include 'none', 'master-only', or 'by-content-type' depending on your needs. Ensure that any Flash-based content, PDF embeds, or ActiveX controls align with these policies, and remove or restrict legacy technologies if possible. If you leverage a reverse proxy, CDN, or load balancer, confirm it preserves this header and does not alter or strip it. Additionally, consider employing a Web Application Firewall (WAF) to detect and block suspicious requests, especially those attempting cross-domain data access without explicit permission. Regularly audit and update your configuration to accommodate evolving security requirements and the deprecation of outdated features.
References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Permitted-Cross-Domain-Policieshttps://owasp.org/www-project-secure-headers/#x-permitted-cross-domain-policiesSeverity
HIGHOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
7.1
7.1