Compliance › OWASP

Compliance Framework

OWASP Top 10 2021

The baseline standard for web application security risk. WebAudit checks 7 of the 10 categories through automated header, TLS, cookie, and page analysis.

Official reference: owasp.org/Top10

What is the OWASP Top 10?

The Open Web Application Security Project (OWASP) Top 10 is the most widely recognised standard in web application security. Published every 3–4 years, it identifies the ten most critical risk categories threatening modern web applications — based on incident data, CVE analysis, and survey input from hundreds of organisations.

The 2021 edition introduced three new categories: Insecure Design (A04), Software and Data Integrity Failures (A08), and Server-Side Request Forgery (A10). The OWASP Top 10 is referenced in PCI-DSS, ISO 27001, and many enterprise security questionnaires as a baseline expectation.

WebAudit can automatically verify 7 of the 10 categories through external scanning. The remaining three (A04 Insecure Design, A09 Security Logging, A10 SSRF) require application-level testing beyond what header analysis can reach.

OWASP Top 10 PCI-DSS v4.0 GDPR Art. 32 ISO 27001:2022

Requirements WebAudit checks

A01 Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. This category includes clickjacking attacks (where a victim is tricked into clicking hidden elements in an iframe), CORS misconfigurations that expose APIs to unauthorised cross-origin callers, and frame-based attacks.
X-Frame-Options CSP frame-ancestors CORS no wildcard
Fix: Set X-Frame-Options: SAMEORIGIN or use a CSP frame-ancestors 'self' directive (preferred in modern browsers). Remove CORS wildcard (*) and allowlist only trusted origins in Access-Control-Allow-Origin.
A02 Cryptographic Failures
Failures related to cryptography that expose sensitive data in transit. This covers missing HTTPS enforcement (allowing unencrypted fallback), weak or expired TLS certificates, insecure cookie attributes that allow session tokens to be transmitted over HTTP, and mixed content that undermines HTTPS pages.
TLS valid HSTS present Cookies Secure flag No mixed content
Fix: Enforce HTTPS with Strict-Transport-Security: max-age=31536000; includeSubDomains. Set the Secure flag on all cookies. Ensure all subresources on HTTPS pages are also loaded over HTTPS.
A03 Injection (XSS)
Cross-site scripting (XSS) allows attackers to inject malicious client-side scripts into pages viewed by other users. A strong Content Security Policy is the primary browser-side defence — it restricts which scripts are allowed to execute, blocking injected code even when server-side sanitisation is incomplete.
CSP present CSP no unsafe-inline/eval
Fix: Deploy a Content-Security-Policy header. Avoid 'unsafe-inline' and 'unsafe-eval' — use nonces ('nonce-{value}') or hashes for inline scripts instead. Use the CSP Generator to build a policy.
A05 Security Misconfiguration
Insecure default configurations, missing security headers, and server version disclosure. Exposing framework or server version strings (e.g., Server: nginx/1.24.0 or X-Powered-By: Express) gives attackers a roadmap to known CVEs without any active probing.
X-Content-Type-Options Referrer-Policy Permissions-Policy No server fingerprint
Fix: Set X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and a Permissions-Policy header. Remove or suppress Server and X-Powered-By version headers.
A06 Vulnerable and Outdated Components
Running components (libraries, CDN-hosted scripts) with known vulnerabilities. Subresource Integrity (SRI) ensures that even if a CDN is compromised or a script is tampered with, browsers will refuse to execute the altered version — because the cryptographic hash no longer matches.
SRI present
Fix: Add integrity="sha384-..." and crossorigin="anonymous" attributes to all external <script> and <link> tags. Also run npm audit or pip audit to identify known-vulnerable packages.
A07 Identification and Authentication Failures
Authentication weaknesses including session cookie misconfigurations. Without HttpOnly, session cookies are accessible to JavaScript — enabling theft via XSS. Without SameSite, cookies are sent in cross-site requests — enabling CSRF-based session hijacking.
Cookies HttpOnly Cookies SameSite
Fix: Set HttpOnly and SameSite=Lax (or SameSite=Strict for high-security contexts) on all session cookies to prevent JavaScript access and CSRF-based session theft.
A08 Software and Data Integrity Failures
Code and infrastructure that does not protect against integrity violations. Magecart and other supply-chain attacks inject skimming scripts by compromising a single CDN or third-party script provider — all downstream sites loading that script are instantly affected. CSP + SRI together prevent this class of attack.
SRI present CSP present
Fix: Deploy SRI for all externally loaded scripts and stylesheets. Use a strict CSP to prevent loading from untrusted origins. The two controls are complementary — CSP restricts the source, SRI verifies the content.

Coverage summary

The three categories below require application-level testing and cannot be verified through external scanning.

Category Covered by WebAudit
A01 Broken Access Control✓ Partial — XFO, CORS, frame-ancestors
A02 Cryptographic Failures✓ Full — TLS, HSTS, cookies, mixed content
A03 Injection (XSS)✓ Partial — CSP presence and safety
A04 Insecure Design— App-level, not scannable
A05 Security Misconfiguration✓ Full — headers, fingerprinting
A06 Vulnerable Components✓ Partial — SRI on external scripts
A07 Auth Failures✓ Partial — cookie attributes
A08 Integrity Failures✓ Partial — SRI + CSP
A09 Logging Failures— Server-side, not scannable
A10 Server-Side Request Forgery— App-level, not scannable

Get your OWASP compliance report

Instant PDF showing which OWASP Top 10 categories your domain passes and fails — with specific remediation steps.

Generate compliance PDF → Free scan first