Managed Security Review for Web Applications
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews for Web applications provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
info
Managed security reviews for web applications will continue to be expanded, and this page will be updated accordingly. For the latest roadmap regarding the expansion of managed security reviews, please reach out to Flatt Security.
All managed review items
| Title | ID in Shisho Cloud |
|---|---|
| Protect from eval injection | decision.api.shisho.dev/v1beta:web_eval_injection |
| Ensure GraphQL introspection is disabled | decision.api.shisho.dev/v1beta:web_graphql_introspection_query |
| Fix HTML injection vulnerability | decision.api.shisho.dev/v1beta:web_html_injection |
| Fix Local File Inclusion vulnerability | decision.api.shisho.dev/v1beta:web_lfi |
| Fix header injection vulnerability | decision.api.shisho.dev/v1beta:web_location_header_injection |
| Fix open redirect vulnerability | decision.api.shisho.dev/v1beta:web_open_redirect |
| Protect from OS command injection | decision.api.shisho.dev/v1beta:web_osci |
| Ensure CORS is appropriately configured | decision.api.shisho.dev/v1beta:web_passive_access_control_allow_origin |
| Ensure Cache-Control headers are appropriately configured | decision.api.shisho.dev/v1beta:web_passive_cache_control |
| Ensure charset is specified | decision.api.shisho.dev/v1beta:web_passive_charset |
| Protect from click jacking | decision.api.shisho.dev/v1beta:web_passive_click_jacking |
| Ensure Content Security Policy is appropriately configured | decision.api.shisho.dev/v1beta:web_passive_content_security_policy |
| Ensure Content-Type header is set | decision.api.shisho.dev/v1beta:web_passive_content_type |
| Ensure the HttpOnly attribute of Cookies are appropriately configured | decision.api.shisho.dev/v1beta:web_passive_cookie_httponly |
| Ensure the SameSite attribute of Cookies are appropriately configured | decision.api.shisho.dev/v1beta:web_passive_cookie_samesite |
| Ensure the Secure attribute of Cookies are appropriately configured | decision.api.shisho.dev/v1beta:web_passive_cookie_secure |
| Ensure that Cross-Origin-Opener-Policy is appropriately configured | decision.api.shisho.dev/v1beta:web_passive_cross_origin_opener_policy |
| Ensure that Cross-Origin-Resource-Policy is appropriately configured | decision.api.shisho.dev/v1beta:web_passive_cross_origin_resource_policy |
| Ensure data beneficial for attackers are not exposed | decision.api.shisho.dev/v1beta:web_passive_data_exposure_benefiting_attackers |
| Ensure personal data are not exposed | decision.api.shisho.dev/v1beta:web_passive_data_exposure_personal |
| Ensure debug information is not exposed | decision.api.shisho.dev/v1beta:web_passive_debug_message |
| Disable unintended directory browsing | decision.api.shisho.dev/v1beta:web_passive_directory_browsing |
| Ensure HSTS header is configured appropriately | decision.api.shisho.dev/v1beta:web_passive_hsts |
| Ensure that Referrer-Policy is appropriately configured | decision.api.shisho.dev/v1beta:web_passive_referrer_policy |
| Ensure that X-Content-Type-Options is appropriately configured | decision.api.shisho.dev/v1beta:web_passive_x_content_type_options |
| Fix SQL injection vulnerability | decision.api.shisho.dev/v1beta:web_sqli |
| Protect from SSRF vulnerability | decision.api.shisho.dev/v1beta:web_ssrf |
| Fix Server-Side Template Injection vulnerability | decision.api.shisho.dev/v1beta:web_ssti |
| Fix XPath injection vulnerability | decision.api.shisho.dev/v1beta:web_xpath_injection |
| Fix XSS vulnerability | decision.api.shisho.dev/v1beta:web_xss |
| Fix XXE vulnerability | decision.api.shisho.dev/v1beta:web_xxe |