What’s New in PCI-DSS v4.0: HTTP Header Tamper Detection


PCI-DSS is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. This article is part of a series of articles under the “What’s New in PCI-DSS v4.0” series where we explore what has changed in PCI-DSS moving to version 4, with version 3.2.1. to be retired as of 31 March 2024. Read the other articles here:

A new clause (11.6.1.) has been added under Requirement 11: Test Security of Systems and Networks Regularly:

11.6.1. A change- and tamper-detection mechanism is deployed as follows:

  • To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.
  • The mechanism is configured to evaluate the received HTTP header and payment page.

This means that mechanisms and/or programmes must be deployed to monitor HTTP headers and the content of payment pages. Any unauthorised modifications made to the HTTP headers or page contents (that will be received on the client-side) will generate an alert, for immediate rectification.
HTTP header tampering is a serious security issue that can compromise the confidentiality, integrity, and availability of web applications. Four consequences are as follows:

  1. Leaking of Sensitive Information – HTTP headers can contain sensitive information, such as session IDs, user credentials, and other personal data. If attackers can tamper with these headers, they can steal this information and use it for malicious purposes, such as identity theft or fraud.
  2. Vulnerable to Cross-Site Scripting (XSS) Attacks – XSS attacks are a common type of web application attack that can be used to inject malicious scripts into web pages. By tampering with HTTP headers, attackers can modify or remove security headers that protect against XSS attacks, making it easier to exploit vulnerabilities in the web application.
  3. Vulnerable to Denial of Service (DoS) Attacks – HTTP headers can be used to prevent or mitigate DoS attacks by setting limits on the number of requests that can be sent to the web application or by blocking requests from suspicious or malicious sources. If attackers can tamper with these headers, they can bypass these security controls and launch more effective DoS attacks.
  4. Loss of Customer Trust – A security breach that compromises sensitive data can damage an organization’s reputation and erode customer trust. Without implementing strong controls to prevent HTTP header tampering, organizations can lose their customers’ data, which can erode customer trust and loyalty.

Overall, preventing HTTP header tampering is critical for protecting web applications. By implementing appropriate security controls and monitoring for unauthorized access or changes to HTTP headers, organizations can reduce the risk of data breaches, prevent attacks, and maintain customer trust.

WebOrion will be adding capabilities to check for these new requirements in PCI-DSS version 4. If this is something you are interested in, please contact us at sales@weborion.io