ZAP Scanning Report

Site: https://facili-tacct.beta.gouv.fr

Generated on Sun, 22 Jun 2025 04:40:56

ZAP Version: 2.16.1

ZAP by Checkmarx

Summary of Alerts

Risk Level	Number of Alerts
High	0
Medium	3
Low	2
Informational	10
False Positives:	0

Summary of Sequences

For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).

Alerts

Name	Risk Level	Number of Instances
CSP: Wildcard Directive	Medium	2
CSP: script-src unsafe-inline	Medium	2
CSP: style-src unsafe-inline	Medium	2
CSP: Notices	Low	2
Timestamp Disclosure - Unix	Low	1
Base64 Disclosure	Informational	11
Content-Type Header Missing	Informational	1
Information Disclosure - Suspicious Comments	Informational	8
Re-examine Cache-control Directives	Informational	8
Sec-Fetch-Dest Header is Missing	Informational	3
Sec-Fetch-Mode Header is Missing	Informational	3
Sec-Fetch-Site Header is Missing	Informational	3
Sec-Fetch-User Header is Missing	Informational	3
Storable and Cacheable Content	Informational	8
Storable but Non-Cacheable Content	Informational	2

Alert Detail

Medium	CSP: Wildcard Directive
Description	Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

URL	https://facili-tacct.beta.gouv.fr
Method	GET
Parameter	Content-Security-Policy
Attack
Evidence	default-src 'none'; connect-src * https://.gouv.fr; font-src 'self'; media-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' https://stats.beta.gouv.fr .posthog.com; style-src 'self' 'unsafe-inline'; object-src 'self' data:; frame-ancestors 'none' http://localhost:5174/ http://localhost:5174 http://localhost:5173/* http://localhost:5173 https://mon-espace-collectivite-staging.osc-fr1.scalingo.io https://mon-espace-collectivite-demo.osc-secnum-fr1.scalingo.io https://les-communs-transition-ecologique-api-staging.osc-fr1.scalingo.io/sandbox/ https://preprod-app.territoiresentransitions.fr https://staging-app.territoiresentransitions.fr; base-uri 'self' https://.gouv.fr; form-action 'self' https://.gouv.fr; block-all-mixed-content ; upgrade-insecure-requests ; frame-src 'none';
Other Info	The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: img-src, connect-src
URL	https://facili-tacct.beta.gouv.fr/
Method	GET
Parameter	Content-Security-Policy
Attack
Evidence	default-src 'none'; connect-src * https://.gouv.fr; font-src 'self'; media-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' https://stats.beta.gouv.fr .posthog.com; style-src 'self' 'unsafe-inline'; object-src 'self' data:; frame-ancestors 'none' http://localhost:5174/ http://localhost:5174 http://localhost:5173/* http://localhost:5173 https://mon-espace-collectivite-staging.osc-fr1.scalingo.io https://mon-espace-collectivite-demo.osc-secnum-fr1.scalingo.io https://les-communs-transition-ecologique-api-staging.osc-fr1.scalingo.io/sandbox/ https://preprod-app.territoiresentransitions.fr https://staging-app.territoiresentransitions.fr; base-uri 'self' https://.gouv.fr; form-action 'self' https://.gouv.fr; block-all-mixed-content ; upgrade-insecure-requests ; frame-src 'none';
Other Info	The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: img-src, connect-src
Instances	2
Solution	Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference	https://www.w3.org/TR/CSP/ https://caniuse.com/#search=content+security+policy https://content-security-policy.com/ https://github.com/HtmlUnit/htmlunit-csp https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
CWE Id	693
WASC Id	15
Plugin Id	10055

Medium	CSP: script-src unsafe-inline
Description	Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

URL	https://facili-tacct.beta.gouv.fr
Method	GET
Parameter	Content-Security-Policy
Attack
Evidence	default-src 'none'; connect-src * https://.gouv.fr; font-src 'self'; media-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' https://stats.beta.gouv.fr .posthog.com; style-src 'self' 'unsafe-inline'; object-src 'self' data:; frame-ancestors 'none' http://localhost:5174/ http://localhost:5174 http://localhost:5173/* http://localhost:5173 https://mon-espace-collectivite-staging.osc-fr1.scalingo.io https://mon-espace-collectivite-demo.osc-secnum-fr1.scalingo.io https://les-communs-transition-ecologique-api-staging.osc-fr1.scalingo.io/sandbox/ https://preprod-app.territoiresentransitions.fr https://staging-app.territoiresentransitions.fr; base-uri 'self' https://.gouv.fr; form-action 'self' https://.gouv.fr; block-all-mixed-content ; upgrade-insecure-requests ; frame-src 'none';
Other Info	script-src includes unsafe-inline.
URL	https://facili-tacct.beta.gouv.fr/
Method	GET
Parameter	Content-Security-Policy
Attack
Evidence	default-src 'none'; connect-src * https://.gouv.fr; font-src 'self'; media-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' https://stats.beta.gouv.fr .posthog.com; style-src 'self' 'unsafe-inline'; object-src 'self' data:; frame-ancestors 'none' http://localhost:5174/ http://localhost:5174 http://localhost:5173/* http://localhost:5173 https://mon-espace-collectivite-staging.osc-fr1.scalingo.io https://mon-espace-collectivite-demo.osc-secnum-fr1.scalingo.io https://les-communs-transition-ecologique-api-staging.osc-fr1.scalingo.io/sandbox/ https://preprod-app.territoiresentransitions.fr https://staging-app.territoiresentransitions.fr; base-uri 'self' https://.gouv.fr; form-action 'self' https://.gouv.fr; block-all-mixed-content ; upgrade-insecure-requests ; frame-src 'none';
Other Info	script-src includes unsafe-inline.
Instances	2
Solution	Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference	https://www.w3.org/TR/CSP/ https://caniuse.com/#search=content+security+policy https://content-security-policy.com/ https://github.com/HtmlUnit/htmlunit-csp https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
CWE Id	693
WASC Id	15
Plugin Id	10055

Medium	CSP: style-src unsafe-inline
Description	Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

URL	https://facili-tacct.beta.gouv.fr
Method	GET
Parameter	Content-Security-Policy
Attack
Evidence	default-src 'none'; connect-src * https://.gouv.fr; font-src 'self'; media-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' https://stats.beta.gouv.fr .posthog.com; style-src 'self' 'unsafe-inline'; object-src 'self' data:; frame-ancestors 'none' http://localhost:5174/ http://localhost:5174 http://localhost:5173/* http://localhost:5173 https://mon-espace-collectivite-staging.osc-fr1.scalingo.io https://mon-espace-collectivite-demo.osc-secnum-fr1.scalingo.io https://les-communs-transition-ecologique-api-staging.osc-fr1.scalingo.io/sandbox/ https://preprod-app.territoiresentransitions.fr https://staging-app.territoiresentransitions.fr; base-uri 'self' https://.gouv.fr; form-action 'self' https://.gouv.fr; block-all-mixed-content ; upgrade-insecure-requests ; frame-src 'none';
Other Info	style-src includes unsafe-inline.
URL	https://facili-tacct.beta.gouv.fr/
Method	GET
Parameter	Content-Security-Policy
Attack
Evidence	default-src 'none'; connect-src * https://.gouv.fr; font-src 'self'; media-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' https://stats.beta.gouv.fr .posthog.com; style-src 'self' 'unsafe-inline'; object-src 'self' data:; frame-ancestors 'none' http://localhost:5174/ http://localhost:5174 http://localhost:5173/* http://localhost:5173 https://mon-espace-collectivite-staging.osc-fr1.scalingo.io https://mon-espace-collectivite-demo.osc-secnum-fr1.scalingo.io https://les-communs-transition-ecologique-api-staging.osc-fr1.scalingo.io/sandbox/ https://preprod-app.territoiresentransitions.fr https://staging-app.territoiresentransitions.fr; base-uri 'self' https://.gouv.fr; form-action 'self' https://.gouv.fr; block-all-mixed-content ; upgrade-insecure-requests ; frame-src 'none';
Other Info	style-src includes unsafe-inline.
Instances	2
Solution	Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference	https://www.w3.org/TR/CSP/ https://caniuse.com/#search=content+security+policy https://content-security-policy.com/ https://github.com/HtmlUnit/htmlunit-csp https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
CWE Id	693
WASC Id	15
Plugin Id	10055

Low	CSP: Notices
Description	Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

URL	https://facili-tacct.beta.gouv.fr
Method	GET
Parameter	Content-Security-Policy
Attack
Evidence	default-src 'none'; connect-src * https://.gouv.fr; font-src 'self'; media-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' https://stats.beta.gouv.fr .posthog.com; style-src 'self' 'unsafe-inline'; object-src 'self' data:; frame-ancestors 'none' http://localhost:5174/ http://localhost:5174 http://localhost:5173/* http://localhost:5173 https://mon-espace-collectivite-staging.osc-fr1.scalingo.io https://mon-espace-collectivite-demo.osc-secnum-fr1.scalingo.io https://les-communs-transition-ecologique-api-staging.osc-fr1.scalingo.io/sandbox/ https://preprod-app.territoiresentransitions.fr https://staging-app.territoiresentransitions.fr; base-uri 'self' https://.gouv.fr; form-action 'self' https://.gouv.fr; block-all-mixed-content ; upgrade-insecure-requests ; frame-src 'none';
Other Info	Errors: 'none' must not be combined with any other ancestor-source
URL	https://facili-tacct.beta.gouv.fr/
Method	GET
Parameter	Content-Security-Policy
Attack
Evidence	default-src 'none'; connect-src * https://.gouv.fr; font-src 'self'; media-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' https://stats.beta.gouv.fr .posthog.com; style-src 'self' 'unsafe-inline'; object-src 'self' data:; frame-ancestors 'none' http://localhost:5174/ http://localhost:5174 http://localhost:5173/* http://localhost:5173 https://mon-espace-collectivite-staging.osc-fr1.scalingo.io https://mon-espace-collectivite-demo.osc-secnum-fr1.scalingo.io https://les-communs-transition-ecologique-api-staging.osc-fr1.scalingo.io/sandbox/ https://preprod-app.territoiresentransitions.fr https://staging-app.territoiresentransitions.fr; base-uri 'self' https://.gouv.fr; form-action 'self' https://.gouv.fr; block-all-mixed-content ; upgrade-insecure-requests ; frame-src 'none';
Other Info	Errors: 'none' must not be combined with any other ancestor-source
Instances	2
Solution	Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference	https://www.w3.org/TR/CSP/ https://caniuse.com/#search=content+security+policy https://content-security-policy.com/ https://github.com/HtmlUnit/htmlunit-csp https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
CWE Id	693
WASC Id	15
Plugin Id	10055

Low	Timestamp Disclosure - Unix
Description	A timestamp was disclosed by the application/web server. - Unix

URL	https://facili-tacct.beta.gouv.fr/accessibilite
Method	GET
Parameter
Attack
Evidence	1724987065
Other Info	1724987065, which evaluates to: 2024-08-30 03:04:25.
Instances	1
Solution	Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.
Reference	https://cwe.mitre.org/data/definitions/200.html
CWE Id	497
WASC Id	13
Plugin Id	10096

Informational	Base64 Disclosure
Description	Base64 encoded data was disclosed by the application/web server. Note: in the interests of performance not all base64 strings in the response were analyzed individually, the entire response should be looked at by the analyst/security team/developer(s).

URL	https://facili-tacct.beta.gouv.fr
Method	GET
Parameter
Attack
Evidence	root_collectiviteWrapper__EQv0s
Other Info	��-��%��-��yjڦ��K
URL	https://facili-tacct.beta.gouv.fr/
Method	GET
Parameter
Attack
Evidence	root_collectiviteWrapper__EQv0s
Other Info	��-��%��-��yjڦ��K
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/app/(main)/accessibilite/page-6ab606755fa725d3.js
Method	GET
Parameter
Attack
Evidence	Icon_fr-icon--valign-top__TmV6M
Other Info	!�'��'��ږ('��)��W�
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/app/(main)/layout-1a5414b6671004b6.js
Method	GET
Parameter
Attack
Evidence	main_cookieConsentContainer__4Apfr
Other Info	��(�'��{�Ш�֢��)~
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/app/(main)/page-54dc04de37105732.js
Method	GET
Parameter
Attack
Evidence	iVBORw0KGgoAAAANSUhEUgAAAAUAAAAICAMAAAAGL8UJAAAAVFBMVEW4t7fBppmsmJpKOTG8v7unrMPMzN3Y08zKxrrT1NeqjIZvXFDNvqqjo7S3vs5VSE+OjKFnY3LQ4PW3p7K1mZLRwsu/wcaAhYyieHuKaWHKqqGeU2fpGBpCAAAACXBIWXMAAAsTAAALEwEAmpwYAAAANElEQVR4nAXBBQKAIAAAsaNTUTCI//+TDb4+fnhXVAjZZiJrKxLemUfh/BUiQd9VYs9ijg0tpgG90MRKcAAAAABJRU5ErkJggg==
Other Info	�PNG IHDR/� TPLTE��J91��ƺ��ת��o\P;��UHO��gcr��˿�ƀ��x{�iaʪ��Sg�B pHYs��4IDATx�� SQ0�� >~xWT�f"k+ޙG��"A�Ub�b� -��JpIEND�B`�
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/app/(main)/politique-de-confidentialite/page-5f35e10d3fddbe78.js
Method	GET
Parameter
Attack
Evidence	main_cookieConsentContainer__4Apfr
Other Info	��(�'��{�Ш�֢��)~
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/app/(main)/politique-des-cookies/page-57895f078c2d6507.js
Method	GET
Parameter
Attack
Evidence	main_cookieConsentContainer__4Apfr
Other Info	��(�'��{�Ш�֢��)~
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/app/layout-71f72f28dc8407b4.js
Method	GET
Parameter
Attack
Evidence	iVBORw0KGgoAAAANSUhEUgAAAAgAAAAICAMAAADz0U65AAAASFBMVEX////jCQ/mKC3xgIQ3N6jd3fH86OnhAAEAAI/9+/vt7PdFRbC1tN98fMf01NbzmJsYGJzqVFciIp7S0euhoddgYLvlGB3orK1jzlTyAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAO0lEQVR4nAXBhwGAMAwEsUu1P40O+2+KhHturGj4XhDJ8AziM3IvSOvlng1RA30OlA7jfC5qNGMAaAs/Qa0B266IshMAAAAASUVORK5CYII=
Other Info	�PNG IHDR��N�HPLTE�� (-�77��EE��\|\|��TW""��롡�``��謭c�T� pHYs��;IDATx��0�K�?��o��{n�h�^��3r/H�� Q}��\|.j4ch?A�ۮ��IEND�B`�
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/app/not-found-c7b288a3925a7765.js
Method	GET
Parameter
Attack
Evidence	Icon_fr-icon--valign-top__TmV6M
Other Info	!�'��'��ږ('��)��W�
URL	https://facili-tacct.beta.gouv.fr/_next/static/css/2f249d2e3e527123.css
Method	GET
Parameter
Attack
Evidence	main_cookieConsentContainer__4Apfr
Other Info	��(�'��{�Ш�֢��)~
URL	https://facili-tacct.beta.gouv.fr/_next/static/css/61b7d4c47e83f4ba.css
Method	GET
Parameter
Attack
Evidence	2H9v2H7V5H4v4h16V5h-3v2h-2V5zm5
Other Info	�o�~��~/�zW�~��ey�n
Instances	11
Solution	Manually confirm that the Base64 data does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.
Reference	https://projects.webappsec.org/w/page/13246936/Information%20Leakage
CWE Id	319
WASC Id	13
Plugin Id	10094

Informational	Content-Type Header Missing
Description	The Content-Type header was either missing or empty.

URL	https://facili-tacct.beta.gouv.fr/api/
Method	GET
Parameter	content-type
Attack
Evidence
Other Info
Instances	1
Solution	Ensure each page is setting the specific and appropriate content-type value for the content being delivered.
Reference	https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
CWE Id	345
WASC Id	12
Plugin Id	10019

Informational	Information Disclosure - Suspicious Comments
Description	The response appears to contain suspicious comments which may help an attacker.

URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/1637-384a2fb2ec9cd04f.js
Method	GET
Parameter
Attack
Evidence	from
Other Info	The following pattern was used: \bFROM\b and was detected in likely comment: "//fonts.googleapis.com/css","https://use.typekit.net/"].some(t=>e.props.href.startsWith(t))){let t={...e.props\|\|{}};return t["da", see evidence field for the suspicious comment/snippet.
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/336a3fb0-29624aebf9fc4201.js
Method	GET
Parameter
Attack
Evidence	select
Other Info	The following pattern was used: \bSELECT\b and was detected in likely comment: "//react.dev/errors/"+e;if(1<arguments.length){n+="?args[]="+encodeURIComponent(arguments[1]);for(var t=2;t<arguments.length;t++)", see evidence field for the suspicious comment/snippet.
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/7264-5ae46f35aa570da9.js
Method	GET
Parameter
Attack
Evidence	where
Other Info	The following pattern was used: \bWHERE\b and was detected in likely comment: "//www.w3.org/2000/svg",width:"80px",height:"80px",viewBox:"0 0 80 80"},["artwork-decorative","artwork-minor","artwork-major"].ma", see evidence field for the suspicious comment/snippet.
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/7652-cf06f08dbe9ccad6.js
Method	GET
Parameter
Attack
Evidence	select
Other Info	The following pattern was used: \bSELECT\b and was detected in likely comment: "//mui.com/production-error/?code=${e}`);return t.forEach(e=>r.searchParams.append("args[]",e)),`Minified MUI error #${e}; visit ", see evidence field for the suspicious comment/snippet.
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/8314-8b5619b8f0d157fd.js
Method	GET
Parameter
Attack
Evidence	bug
Other Info	The following pattern was used: \bBUG\b and was detected in likely comment: "//react.dev/errors/"+e;if(1<arguments.length){t+="?args[]="+encodeURIComponent(arguments[1]);for(var r=2;r<arguments.length;r++)", see evidence field for the suspicious comment/snippet.
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/app/global-error-b17a2b8243057009.js
Method	GET
Parameter
Attack
Evidence	from
Other Info	The following pattern was used: \bFROM\b and was detected in likely comment: "//fonts.googleapis.com/css","https://use.typekit.net/"].some(t=>e.props.href.startsWith(t))){let t={...e.props\|\|{}};return t["da", see evidence field for the suspicious comment/snippet.
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/f9a1229c-254963bad2f7bbef.js
Method	GET
Parameter
Attack
Evidence	bug
Other Info	The following pattern was used: \bBUG\b and was detected in likely comment: "//app.posthog.com/home#panel=support%3Asupport%3A."),ee.critical(e)}}},P=function(e){var t={};return S(e,function(e,i){W(e)&&e.l", see evidence field for the suspicious comment/snippet.
URL	https://facili-tacct.beta.gouv.fr/_next/static/chunks/polyfills-42372ed130431b0a.js
Method	GET
Parameter
Attack
Evidence	from
Other Info	The following pattern was used: \bFROM\b and was detected in likely comment: "//github.com/zloirock/core-js/blob/v3.38.1/LICENSE",source:"https://github.com/zloirock/core-js"})}),nt=function(t,e){return rt[", see evidence field for the suspicious comment/snippet.
Instances	8
Solution	Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.
Reference
CWE Id	615
WASC Id	13
Plugin Id	10027

Informational	Re-examine Cache-control Directives
Description	The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.

URL	https://facili-tacct.beta.gouv.fr
Method	GET
Parameter	cache-control
Attack
Evidence	s-maxage=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/
Method	GET
Parameter	cache-control
Attack
Evidence	s-maxage=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/accessibilite
Method	GET
Parameter	cache-control
Attack
Evidence	s-maxage=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/mentions-legales
Method	GET
Parameter	cache-control
Attack
Evidence	s-maxage=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/politique-de-confidentialite
Method	GET
Parameter	cache-control
Attack
Evidence	s-maxage=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/politique-des-cookies
Method	GET
Parameter	cache-control
Attack
Evidence	s-maxage=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/robots.txt
Method	GET
Parameter	cache-control
Attack
Evidence	public, max-age=0, must-revalidate
Other Info
URL	https://facili-tacct.beta.gouv.fr/sitemap.xml
Method	GET
Parameter	cache-control
Attack
Evidence	public, max-age=0, must-revalidate
Other Info
Instances	8
Solution	For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".
Reference	https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control https://grayduck.mn/2021/09/13/cache-control-recommendations/
CWE Id	525
WASC Id	13
Plugin Id	10015

Informational	Sec-Fetch-Dest Header is Missing
Description	Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.

URL	https://facili-tacct.beta.gouv.fr/_next/static/css/57b94a026056d03d.css
Method	GET
Parameter	Sec-Fetch-Dest
Attack
Evidence
Other Info
URL	https://facili-tacct.beta.gouv.fr/robots.txt
Method	GET
Parameter	Sec-Fetch-Dest
Attack
Evidence
Other Info
URL	https://facili-tacct.beta.gouv.fr/sitemap.xml
Method	GET
Parameter	Sec-Fetch-Dest
Attack
Evidence
Other Info
Instances	3
Solution	Ensure that Sec-Fetch-Dest header is included in request headers.
Reference	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest
CWE Id	352
WASC Id	9
Plugin Id	90005

Informational	Sec-Fetch-Mode Header is Missing
Description	Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc.

URL	https://facili-tacct.beta.gouv.fr/_next/static/css/57b94a026056d03d.css
Method	GET
Parameter	Sec-Fetch-Mode
Attack
Evidence
Other Info
URL	https://facili-tacct.beta.gouv.fr/robots.txt
Method	GET
Parameter	Sec-Fetch-Mode
Attack
Evidence
Other Info
URL	https://facili-tacct.beta.gouv.fr/sitemap.xml
Method	GET
Parameter	Sec-Fetch-Mode
Attack
Evidence
Other Info
Instances	3
Solution	Ensure that Sec-Fetch-Mode header is included in request headers.
Reference	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode
CWE Id	352
WASC Id	9
Plugin Id	90005

Informational	Sec-Fetch-Site Header is Missing
Description	Specifies the relationship between request initiator's origin and target's origin.

URL	https://facili-tacct.beta.gouv.fr/_next/static/css/57b94a026056d03d.css
Method	GET
Parameter	Sec-Fetch-Site
Attack
Evidence
Other Info
URL	https://facili-tacct.beta.gouv.fr/robots.txt
Method	GET
Parameter	Sec-Fetch-Site
Attack
Evidence
Other Info
URL	https://facili-tacct.beta.gouv.fr/sitemap.xml
Method	GET
Parameter	Sec-Fetch-Site
Attack
Evidence
Other Info
Instances	3
Solution	Ensure that Sec-Fetch-Site header is included in request headers.
Reference	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site
CWE Id	352
WASC Id	9
Plugin Id	90005

Informational	Sec-Fetch-User Header is Missing
Description	Specifies if a navigation request was initiated by a user.

URL	https://facili-tacct.beta.gouv.fr/_next/static/css/57b94a026056d03d.css
Method	GET
Parameter	Sec-Fetch-User
Attack
Evidence
Other Info
URL	https://facili-tacct.beta.gouv.fr/robots.txt
Method	GET
Parameter	Sec-Fetch-User
Attack
Evidence
Other Info
URL	https://facili-tacct.beta.gouv.fr/sitemap.xml
Method	GET
Parameter	Sec-Fetch-User
Attack
Evidence
Other Info
Instances	3
Solution	Ensure that Sec-Fetch-User header is included in user initiated requests.
Reference	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User
CWE Id	352
WASC Id	9
Plugin Id	90005

Informational	Storable and Cacheable Content
Description	The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where "shared" caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.

URL	https://facili-tacct.beta.gouv.fr
Method	GET
Parameter
Attack
Evidence	s-maxage=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/
Method	GET
Parameter
Attack
Evidence	s-maxage=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/_next/static/css/1b1d10445b60e5f7.css
Method	GET
Parameter
Attack
Evidence	max-age=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/_next/static/css/2f249d2e3e527123.css
Method	GET
Parameter
Attack
Evidence	max-age=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/_next/static/media/Marianne-Regular.119b3a3e.woff2
Method	GET
Parameter
Attack
Evidence	max-age=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/accessibilite
Method	GET
Parameter
Attack
Evidence	s-maxage=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/mentions-legales
Method	GET
Parameter
Attack
Evidence	s-maxage=31536000
Other Info
URL	https://facili-tacct.beta.gouv.fr/politique-des-cookies
Method	GET
Parameter
Attack
Evidence	s-maxage=31536000
Other Info
Instances	8
Solution	Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user: Cache-Control: no-cache, no-store, must-revalidate, private Pragma: no-cache Expires: 0 This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
Reference	https://datatracker.ietf.org/doc/html/rfc7234 https://datatracker.ietf.org/doc/html/rfc7231 https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
CWE Id	524
WASC Id	13
Plugin Id	10049

Informational	Storable but Non-Cacheable Content
Description	The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users.

URL	https://facili-tacct.beta.gouv.fr/robots.txt
Method	GET
Parameter
Attack
Evidence	max-age=0
Other Info
URL	https://facili-tacct.beta.gouv.fr/sitemap.xml
Method	GET
Parameter
Attack
Evidence	max-age=0
Other Info
Instances	2
Solution
Reference	https://datatracker.ietf.org/doc/html/rfc7234 https://datatracker.ietf.org/doc/html/rfc7231 https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
CWE Id	524
WASC Id	13
Plugin Id	10049

Sequence Details

^{With the associated active scan results.}