I've been challenged by my infrastructure team regarding this issue:
"HTTP Security Header Not Detected" QID = 11827
The challenge was how they can be warned in the future of when introducing 'new' failures into the scans. Is there any mechanism or resources that I should be part of to see the introduction of new issues/ vulnerabilities/ configurations to see incoming issues?
We had a few of these (QID = 11827) appear late last year all at the same time and been struggling (due to timings/resources) to fix these in time for our clean scan. What I'm missing is when and why, that not using these CSP's were decided to become PCI failures?
Any pointers to resources or feeds that I should be part of to get as much as a headstart on these would be great. I'd like to understand why not using CSP's is a PCI failure (although I totally agree it is security best practice, just want to find out where and when these get decided)