PCI-DSS 4.0 6.4.3

Client-side tampering

UnveilScan findings mapped to this control

The scanner emits 9 distinct findings on this control. Click "Scan a domain" below to see which of them currently apply to your site, with copy-paste remediation snippets (nginx, Apache, DNS BIND, web-server config).

web.cookie_session_without_httponly ⏱ 15 min

WEB — Cookie session without httponly

Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.

operational

Also maps to 2 other controls

web.cors.allow_origin_null ⏱ 15 min

WEB — Cors.allow origin null

Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.

operational

Also maps to 1 other control

ANSSI Reco-WebSec §4.5 — Rejeter Origin: null

web.cors.origin_reflected ⏱ 1h

WEB — Cors.origin reflected

Risk if ignored: Reflected origin + credentials = attacker page reads user sessions freely.

security

Also maps to 1 other control

ANSSI Reco-WebSec §4.5 — Ne pas refléter l'origin sans contrôle

web.cors.wildcard_with_credentials ⏱ 1h

WEB — Cors.wildcard with credentials

Risk if ignored: Any origin can read authenticated API responses on behalf of your users — CSRF-style data exfiltration.

security legal

Also maps to 1 other control

ANSSI Reco-WebSec §4.5 — CORS avec credentials exige une origin explicite

web.cross_origin_password_form ⏱ 4h

WEB — Cross origin password form

Risk if ignored: Either phishing or compromised template — credentials actively flow to a foreign origin on every submission.

security legal reputational

Also maps to 3 other controls

web.csp_script_wildcard ⏱ 15 min

WEB — Csp script wildcard

Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.

operational

Also maps to 1 other control

ANSSI Reco-WebSec §4.3 — CSP sans wildcard sur script-src

web.csp_unsafe_eval ⏱ 2h

WEB — Csp unsafe eval

Risk if ignored: Dynamic code injection via eval / new Function succeeds. Libraries that use eval in prod (old Angular, Alpine) widen the hole.

security

Also maps to 1 other control

ANSSI Reco-WebSec §4.3 — CSP sans 'unsafe-eval'

web.csp_unsafe_inline ⏱ 3h

WEB — Csp unsafe inline

Risk if ignored: Your CSP claims to mitigate XSS but doesn't. An attacker injecting a <script> tag executes freely — session tokens, form data, DOM state all at risk.

security legal

Also maps to 1 other control

ANSSI Reco-WebSec §4.3 — CSP sans 'unsafe-inline'

web.csrf_token_missing ⏱ 2h

WEB — Csrf token missing

Risk if ignored: POST endpoints execute state changes on behalf of authenticated users via a hostile third-party page.

security

Also maps to 2 other controls