PCI Compliance Test | HTTP security headers, this port is missing X-XSS protection, X-content-Type-Options HTTP Header, and Strict-Transport-Security HTTP Header

In this article, we will take a look at what You can do if the PCI Compliance Test of Your Security Device Fails:

X-XSS-Protection HTTP Header missing on port 443.
X-Content-Type-Options HTTP Header missing on port 443.
Strict-Transport-Security HTTP Header missing on port 443.

Please first check the following article: Zyxel | PCI Compliance - Best Practice

There are some CLI Commands that You can run if the Test still Fails:

For 5.00 (ATP / USG FLEX / VPN) and higher:

Router> configure terminal 
Router(config)# ip http x-content-type-options
Router(config)# write

For 4.65 (USG Series / Legacy [ZyWall] Series) and above:

Router> configure terminal 
Router(config)# ip http content-security-policy 
Router(config)# write
Router(config)# ip http x-frame-options
Router(config)# write

Strict-Transport-Security HTTP Header missing on port 443.

Our ‘HTTP redirect to HTTPS’ feature can fulfil the needed requirement to only communicate with HTTPS instead of HTTP.

However, if using the PCI tool to scan this item, it will fail, but the device can detect it in any case and act accordingly.