Some of the passive scan rules just check text responses, which includes HTML, JavaScript, JSON and XML.
I'm wondering if some of them should only test HTML responses, either at the default (medium) or high threshold.
Some release quality examples:
- Web Browser XSS Protection Not Enabled
- X-Frame-Options Header Not Set
- X-Content-Type-Options Header Missing
Also, the "Incomplete or No Cache-control and Pragma HTTP Header Set" rule explicitly ignores CSS files but doesnt ignore JavaScript ones, which seems a little bit strange?
So ... should any of these rules be changed to ignore non HTML responses, and if so at what threshold?
Cheers,
Simon