ZAP – Sec-Fetch-Dest Header Has an Invalid Value

Details
Alert ID	90005-7
Alert Type	Passive
Status	alpha
Risk	Informational
CWE	352
WASC	9
Technologies Targeted	All
Tags	CWE-352 WSTG-V42-SESS-05
More Info	Scan Rule Help

Summary

Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.

Solution

Sec-Fetch-Dest header must have one of the following values: audio, audioworklet, document, embed, empty, font, frame, iframe, image, manifest, object, paintworklet, report, script, serviceworker, sharedworker, style, track, video, worker, xslt.

Other Info

References

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest

Code

org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRule.java