Vulnerability Details

Severity:

Low

Category:

web

Description

The application does not implement recommended HTTP security headers, reducing defense-in-depth protections against common web attacks.

Risks

Missing headers like CSP, X-Frame-Options, and X-Content-Type-Options leave the application more vulnerable to XSS, clickjacking, and MIME-type attacks.

Remediation

Implement Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, and Referrer-Policy headers. Use security header analysis tools to verify configuration.

References

https://owasp.org/www-project-secure-headers/

Missing Security Headers