After performing scans for our site just this month I am seeing those same issues and others that shouldn't be there. Most issues are simple fixes they can make to their servers and site base header templates.

HubSpot needs to fix these issues or risk losing customers to another CRM that takes security seriously.

"

No Anti-CSRF tokens were found in a HTML submission form.
A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

CSRF attacks are effective in a number of situations, including:
* The victim has an active session on the target site.
* The victim is authenticated via HTTP auth on the target site.
* The victim is on the same local network as the target site.

CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.

"

Hi @kenord,

Thank you for your feedback! I appreciate you bringing these questions to the Community. I wanted to share the following status updates with you: 

1. X-Frame-Options

The challenges with these kinds of HTTP headers are that it is easy to break expected website functionality. Unexpected behavior related to the headers takes expertise to troubleshoot; and the header construct needs to be updated regularly as content structure is changed. This header is designed to prevent HTML or javascript from working in certain (and possibly intended) cases. For instance, if X-frame-options was implemented by default, then customers would need to pre-identify all domains on which they wanted to frame landing pages and other content. This would add complexity to the customer experience without appreciably lowering the risk of clickjacking.

With that said, it is possible to embed mechanisms like frame busting (i.e., equivalent to X-frame-options) into the HTML header of your sites where you deem appropriate. Those options give you control over how additional protections are implemented. If you decide to implement the functions in HTML, please be aware that domain-agnostic frame-busting javascript will interfere with typical use of content editing features in your HubSpot portal. In particular, the preview pane you see when you're editing a blog post, email, or website is presented within a frame. If you configured that page (or the design layout) to prevent iframes, it's possible that you won't be able to use the content editing tools that are available in your portal.

2. X-XSS

Most modern browsers default to 'X-XSS-Protection: 1'. That means that the browser will prevent a detected cross-site scripting attack by default, and doesn't require a header from the visited website to protect itself.

3. X-Content Type-Options

The HubSpot platform does not set the X-Content-Type-Options header to 'nosniff'. Rather, we set a MIME type so sniffing does not occur in general. The HubSpot platform automatically sets a MIME type for javascript and CSS files, in particular.

HubSpot will not be modifying these policies for the reasons outlined above. 

Thank you,

Jenny