You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -21,7 +21,7 @@ This is a placeholder for future documentation requirements.
|**13.1.5**|[DELETED, INSUFFICIENT IMPACT]|||||
|**13.1.6**|[MODIFIED, MOVED FROM 13.2.6, LEVEL L2 > L3] Verify that per-message digital signatures are used to provide additional assurance on top of transport protections for requests or transactions which are highly sensitive or which traverse a number of systems. ||| ✓ | 345 |
|**13.1.7**|[MODIFIED, MOVED FROM 14.4.1] Verify that every HTTP response with a message body contains a Content-Type header field that matches the actual content of the response, including the charset parameter to specify safe character encoding (e.g., UTF-8, ISO-8859-1) according to IANA Media Types, such as "text/", "/+xml" and "/xml". | ✓ | ✓ | ✓ | 173 |
|**13.1.8**|[ADDED] Verify that HTTPS-based endpoints will only respond to non-encrypted HTTP requests with an error or will not respond at all. Responding with an automatic redirect to the HTTPS endpoint may lead to clients accidentally sending data over non-encrypted HTTP, but this is not being discovered. || ✓ | ✓ ||
|**13.1.8**|[ADDED] Verify that HTTPS-based endpoints either return an error or do not respond to unencrypted HTTP requests which contain sensitive data in the headers or body. If a client is erroneously sending unencrypted HTTP requests but the requests are being automatically redirected to HTTPS, this leakage of sensitive data may go undiscovered. || ✓ | ✓ ||
