ASVS Requirement 3.2.1

• Level: 1
• Chapter: V3 Web Frontend Security
• Section: V3.2 Unintended Content Interpretation
• Source: 0x12-V3-Web-Frontend-Security.md

Description

Verify that security controls are in place to prevent browsers from rendering content or functionality in HTTP responses in an incorrect context (e.g., when an API, a user-uploaded file or other resource is requested directly). Possible controls could include: not serving the content unless HTTP request header fields (such as Sec-Fetch-*) indicate it is the correct context, using the sandbox directive of the Content-Security-Policy header field or using the attachment disposition type in the Content-Disposition header field.