Security Reports
PRE-SCAN (WAF off) vs POS-SCAN (WAF on)
Scans performed by the F5 Distributed Cloud Web Application Scan (WAS)
PRE-SCAN (WAF OFF) Insecure
Baseline scan with no active security controls.
- Critical vulnerabilities exposed.
- High severity XSS detected on /search.
High severity reflected XSS appears in PRE-SCAN.
| Vulnerability | Name/Path | Severity |
|---|---|---|
| Cross-site Scripting (Reflected) | /search | 9.1 High |
| Cross-site Scripting (Reflected) | /search | 9.1 High |
| Missing Security Headers | Strict-Transport-Security | 4.3 Medium |
| Insecure Transport Layer | DNS Server | 4.0 Medium |
| Missing Security Headers | X-Frame-Options | 3.7 Low |
| Missing Security Headers | X-Content-Type-Options | 3.7 Low |
| Missing Security Headers | Content-Security-Policy | 3.7 Low |
| Cookie without Secure Flag | session | 3.7 Low |
| Missing Subresource Integrity | - | 2.6 Low |
| Logging and Monitoring | - | 0.0 Info |
POS-SCAN (WAF ON) Secured
Scan results after F5 WAAP/WAF activation.
- Critical vulnerabilities mitigated.
- Reflected XSS successfully blocked by WAAP.
Reflected XSS no longer appears in POS-SCAN after WAAP/WAF is enabled.
| Vulnerability | Name/Path | Severity |
|---|---|---|
| Missing Security Headers | Strict-Transport-Security | 4.3 Medium |
| Insecure Transport Layer | DNS Server | 4.0 Medium |
| Missing Security Headers | X-Frame-Options | 3.7 Low |
| Missing Security Headers | X-Content-Type-Options | 3.7 Low |
| Missing Security Headers | Content-Security-Policy | 3.7 Low |
| Cookie without Secure Flag | session | 3.7 Low |
| Missing Subresource Integrity | - | 2.6 Low |
| Logging and Monitoring | - | 0.0 Info |