Could you please let me know how to validate/configure below http security headers:
Content-Security-Policy
Strict-Transport-Security
X-Content-Type-Options
X-Frame-Options
Referrer-Policy
Feature-Policy
Hello Rasik,
at the moment those headers are not analyzed yet but we have some open tickets to take care of it in the future:
- https://jira.sonarsource.com/browse/RSPEC-5728
- https://jira.sonarsource.com/browse/RSPEC-5732
- https://jira.sonarsource.com/browse/RSPEC-5730
- https://jira.sonarsource.com/browse/RSPEC-5739
- https://jira.sonarsource.com/browse/RSPEC-5734
- https://jira.sonarsource.com/browse/RSPEC-5732
- https://jira.sonarsource.com/browse/RSPEC-5736
Best regards,
Hendrik
To add to Hendrik’s answer (which is related to analyzing code with SonarQube), if you’re trying to validate this for requests/responses to/from your SonarQube server, that all will take place at the level of a reverse proxy or load balancer sitting in front of your SonarQube Server (to perform such tasks as serving your SonarQube server over HTTPS).
Want to validate the current state of your HTTP headers? Just open up your browser’s dev tools 
