diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md
index e526ab32..81dbaaed 100644
--- a/pentesting-web/xss-cross-site-scripting/README.md
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@@ -799,10 +799,6 @@ function handleResponse() {
A service worker is a **script** that your browser **runs** in the **background**, separate from a web page, opening the door to features that don't need a web page or user interaction. ([More info about what is a service worker here](https://developers.google.com/web/fundamentals/primers/service-workers)).\
The goal of this attack is to **create service workers** on the **victim session** inside the **vulnerable** web **domain** that grant the **attacker control** over **all the pages** the **victim** will load in **that domain**.
-You can see them in the **Service Workers** field in the **Application** tab of **Developer Tools**. You can also look at [chrome://serviceworker-internals](https://chromium.googlesource.com/chromium/src/+/main/docs/security/chrome%3A/serviceworker-internals).
-
-If the victim didn't grant push notifications permissions the service worker won't be able to receive communications from the server if the user doesn't access the attacker page again. This will prevent for example, maintain conversations with all the pages that accessed the attacker web page so web a exploit if found the SW can receive it and execute it. However, if the victim grants push notifications permissions this could be a risk.
-
In order to exploit this vulnerability you need to find:
* A way to **upload arbitrary JS** files to the server and a **XSS to load the service worker** of the uploaded JS file
@@ -845,8 +841,6 @@ var sw = "/jsonp?callback=onfetch=function(e){ e.respondWith(caches.match(e.requ
There is **C2** dedicated to the **exploitation of Service Workers** called [**Shadow Workers**](https://shadow-workers.github.io) that will be very useful to abuse these vulnerabilities.
-In an XSS situation, the 24 hour cache directive limit ensures that a malicious or compromised SW will outlive a fix to the XSS vulnerability by a maximum of 24 hours (assuming the client is online). Site operators can shrink the window of vulnerability by setting lower TTLs on SW scripts. We also encourage developers to [build a kill-switch SW](https://stackoverflow.com/questions/33986976/how-can-i-remove-a-buggy-service-worker-or-implement-a-kill-switch/38980776#38980776).
-
### Polyglots
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt" %}
diff --git a/pentesting/pentesting-web/special-http-headers.md b/pentesting/pentesting-web/special-http-headers.md
index a4c73fbb..d1907ca1 100644
--- a/pentesting/pentesting-web/special-http-headers.md
+++ b/pentesting/pentesting-web/special-http-headers.md
@@ -126,22 +126,111 @@ Trusted Types provide the tools to write, security review, and maintain applicat
To create these objects you can define security policies in which you can ensure that security rules (such as escaping or sanitization) are consistently applied before the data is written to the DOM. These policies are then the only places in code that could potentially introduce DOM XSS.
-Example usa
-
```http
Content-Security-Policy: require-trusted-types-for 'script'
```
```javascript
-// Feature detectionif (window.trustedTypes && trustedTypes.createPolicy) { // Name and create a policy const policy = trustedTypes.createPolicy('escapePolicy', { createHTML: str => { return str.replace(/\/g, '>'); } });}
+// Feature detection
+if (window.trustedTypes && trustedTypes.createPolicy) {
+ // Name and create a policy
+ const policy = trustedTypes.createPolicy('escapePolicy', {
+ createHTML: str => {
+ return str.replace(/\/g, '>');
+ }
+ });
+}
```
```javascript
-// Assignment of raw strings is blocked by Trusted Types.el.innerHTML = 'some string'; // This throws an exception.// Assignment of Trusted Types is accepted safely.const escaped = policy.createHTML('
');el.innerHTML = escaped; // '<img src=x onerror=alert(1)>'
+// Assignment of raw strings is blocked by Trusted Types.
+el.innerHTML = 'some string'; // This throws an exception.
+
+// Assignment of Trusted Types is accepted safely.
+const escaped = policy.createHTML('');
+el.innerHTML = escaped; // '<img src=x onerror=alert(1)>'
```
+### X-Content-Type-Options
+When a malicious HTML document is served from your domain (for example, if an image uploaded to a photo service contains valid HTML markup), some browsers will treat it as an active document and allow it to execute scripts in the context of the application, leading to a [cross-site scripting bug](https://www.google.com/about/appsecurity/learning/xss/).
+
+`X-Content-Type-Options: nosniff` prevents it by instructing the browser that the [MIME type](https://mimesniff.spec.whatwg.org/#introduction) set in the `Content-Type` header for a given response is correct. This header is recommended for **all of your resources**.
+
+```http
+X-Content-Type-Options: nosniff
+```
+
+### X-Frame-Options
+
+If a malicious website can embed your site as an iframe, this may allow attackers to invoke unintended actions by the user with [clickjacking](https://portswigger.net/web-security/clickjacking). Also, in some cases [Spectre-type attacks](https://en.wikipedia.org/wiki/Spectre\_\(security\_vulnerability\)) give malicious websites a chance to learn about the contents of an embedded document.
+
+`X-Frame-Options` indicates whether or not a browser should be allowed to render a page in a ``, `