Home URL & OWASP secure headers

Format Your New Topic as Follows:

Zoom Apps Configuration
Share the Zoom Apps configuration (e.x. React, Vanilla JS, Node.js) you’re working with to give relevant context.

Description
I keep getting Home URL is missing required OWASP response header(s): although I have added them.

Home URL: http s://lunapark.com/zoom

As you can see the headers are there, same if you use curl.

curl -I https://lunapark.com/zoom
HTTP/1.1 200 Connection established

HTTP/2 200
content-type: text/html; charset=utf-8
date: Mon, 08 Jul 2024 05:27:44 GMT
content-security-policy: default-src 'self'; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://appssdk.zoom.us https://widget.intercom.io https://js.intercomcdn.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://bat.bing.com https://*.firebaseio.com; img-src 'self' data: blob: https://assets.golunapark.com https://assets.gadder.live https://static.intercomassets.com https://*.intercomcdn.com https://avatars.slack-edge.com https://bat.bing.com; media-src 'self' data: blob: https://media-proxy.lunapark.com https://assets.golunapark.com https://assets.gadder.live; connect-src 'self' data: https://api.lunapark.com wss://crowd-frames-service.lunapark.com https://media-proxy.lunapark.com https://cdn.segment.com https://api.segment.io https://*.intercom.io https://www.googleapis.com https://*.golunapark.com https://*.gadder.live https://api.iconify.design https://api.unisvg.com https://api.simplesvg.com https://*.agora.io https://*.sd-rtn.com https://*.stream-io-api.com https://securetoken.googleapis.com wss://*.intercom.io wss://*.firebaseio.com wss://*.edge.agora.io:* wss://*.edge.sd-rtn.com:* wss://*.stream-io-api.com https://bat.bing.com; base-uri 'self'; form-action 'self'; font-src 'self' data: https://fonts.gstatic.com https://fonts.intercomcdn.com; worker-src 'self' blob:; frame-src 'self' https://*.firebaseio.com https://form.typeform.com
referrer-policy: same-origin
server: Caddy
strict-transport-security: max-age=31536000
vary: Accept-Encoding
x-content-type-options: nosniff
x-cache: Miss from cloudfront
via: 1.1 1b3fd5e3e9b3fd38054dc45b58346688.cloudfront.net (CloudFront)
x-amz-cf-pop: NRT12-C3
x-amz-cf-id: QZ7UL3CXXbPI9kf147CoLtLFuDTsuasVgEta7VNqOAk3kWstUp_IPQ==

After troubleshooting, I noticed Zoom doesn’t check the OWASP headers against the Home URL I filled, but always check the headers against the root path.

This is a log I captured in my local dev env, the Home URL I configured is similar, the path is /zoom, but the logs showed the path is just “/”, but not “/zoom”.

2024-07-08T05:18:39Z DBG GET http://localhost:8080/ HTTP/2.0 cfRay=89fd9d747957f68d-NRT connIndex=0 content-length=-1 event=1 headers={"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Encoding":["gzip, br"],"Accept-Language":["en-US,en;q=0.9"],"Cdn-Loop":["cloudflare"],"Cf-Connecting-Ip":["212.107.30.148"],"Cf-Ipcountry":["JP"],"Cf-Ray":["89fd9d747957f68d-NRT"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Cf-Warp-Tag-Id":["91c63b6a-6e32-4b97-89c5-3724decca4af"],"Cookie":[],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15"],"X-Forwarded-For":["212.107.30.148"],"X-Forwarded-Proto":["https"]} host=lp-web.kenshin54.me ingressRule=0 path=/

We try to avoid adding OWASP headers on all pages, especially the root page because of the content management. Just want to check what’s the suggestion here?