Missing html tags are always a vulnerability?

Hi, i check an html file with asserts, and I find vulnerabilities in the checks fluidasserts.lang.html -> is_cacheable and fluidasserts.lang.html -> is_header_content_type_missing, in the backend there is a file that adds to the headers (“Cache-Control”, “private, no-cache, no-store, must-revalidate”),
covering what is supposed to be in the html file.
My question is, should the vulnerabilities present in the html file of the front be reported, or should not be reported since they are declared in the back end.

Only avoid the report, if you have dynamic evidence (DAST, burp, etc) that the compensatory controls (the others that you mention) are working properly. If you decide to report it, mention on the documentation this analysis.


Please remember that, as the HTML Specification, the documents are required to have meta elements specifying pragma directives only if the headers these directives convey are not explicitly sent in the response.


So, if the response headers establish the values for these fields, the document is not obligated to do so.

Hi there @Song-two

If this topic is solved, please mark it as such by checking the solution chart at the bottom of the post you consider that properly answers your question (go to the answer, click on the ellipsis and then the solved button).