Before Given VAPT Test,make sure below configuration on webconfig and IIS 1) In webconfig NetNetCrossDomain value should be hosted domain name. 2) In webconfig requireSSL should be "true" for clients who have SSL. 3) In webconfig should be false. (Settings common for AERO,IBTRestservice webconfig) 4) In webconfig should be false.(Settings common for AERO,IBTRestservice webconfig) 5) In IIS recommended to disable TLS 1.0 and replace it with at least TLS 1.1, but preferably TLS 1.2 or higher. 6) In IIS-Select your website within IIS Manager and click IP address and Domain Restrictions Icon-Click Edit Feature Settings-tick Enable Proxy Mode Checkbox, and Choose Forbidden on Deny Action Type, click Ok 7) It is recommended to deploy IIS with 8.3 names disabled by creating the following registry key on a Windows operating system: Key: HKLM\SYSTEM\CurrentControlSet\Control\FileSystem Name: NtfsDisable8dot3NameCreation Value: 1 8)If Client have IIS 10.0, you can remove the Server header by configuring requestFiltering in your web.config, system.webServer node: (Settings common for AERO,IBTRestservice webconfig) 9) Need to change in AERO/appconfig.json - EmailId as contact[at]63moons[dot]com