ASVS Requirement 4.1.3

• Level: 2
• Chapter: V4 API and Web Service
• Section: V4.1 Generic Web Service Security
• Source: 0x13-V4-API-and-Web-Service.md

Description

Verify that any HTTP header field used by the application and set by an intermediary layer, such as a load balancer, a web proxy, or a backend-for-frontend service, cannot be overridden by the end-user. Example headers might include X-Real-IP, X-Forwarded-*, or X-User-ID.