SYM_GEN_0053 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Configuration
| Property | Value |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-16: CWE CATEGORY: Configuration |
| OWASP | A06:2017 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Defining the 'add_header' directive inside a location block in Nginx after already setting headers in the server block will override those server-level headers. This means any security headers set at the server level may be unintentionally removed or changed for that location.
Impact
Overwriting important security headers can weaken protections like HSTS, CSP, or X-Frame-Options, increasing the risk of attacks such as cross-site scripting or clickjacking. This misconfiguration may expose your application to security vulnerabilities that rely on consistent header settings.