1

We have developed an app in Salesforce which uses the DocuSign web service API (https://demo.docusign.net/api/3.0/dsapi.asmx for development and https://www.docusign.net/api/3.0/dsapi.asmx for production). We found few vulnerabilities when we did the security scanning on both the APIs. We used ZAP tool for security scanning and it revealed the below vulnerabilities:

  1. X-Frame-Options Header Not Set
  2. Incomplete or No Cache-control and Pragma HTTP Header Set
  3. Web Browser XSS Protection Not Enabled
  4. X-Content-Type-Options Header Missing

Can these issues be fixed on the web services or Is there any document that proves that these are false positive?

Thanks

Larry K
  • 47,808
  • 15
  • 87
  • 140
Skience Dev
  • 11
  • 1

1 Answers1

1

Zap, like all automated scanners, are very good at finding common oversights and comparing applications with best practices. Unfortunately, they do often fail to consider the larger scenario at hand. Setting the correct x-headers for the right scenarios is an important protection against common attacks like click-jacking and XSS in client-server web flows, as they help inform the user's browser which actions should be permitted or not. Those attacks are not relevant in a server to server API flow, however, so these should be considered false positives. Thank you for bringing these to our attention, however, DocuSign is continuously investing in our platform's security and we appreciate the scrutiny.

Laurel
  • 96
  • 5