Missing Security Headers

HTTP security headers are the first line of defense for web applications. Missing these headers leaves users exposed to common attacks that browsers could otherwise prevent.

Critical headers and their purpose:

• Strict-Transport-Security: Forces HTTPS connections and prevents SSL stripping
• X-Content-Type-Options: nosniff: Prevents MIME-type sniffing attacks
• X-Frame-Options: DENY: Prevents clickjacking
• Referrer-Policy: strict-origin-when-cross-origin: Controls referrer information leakage
• Permissions-Policy: Restricts browser feature access (camera, microphone, geolocation)

Consequences of missing headers:

# Without HSTS — attacker can SSL-strip HTTPS to HTTP
# Without X-Content-Type-Options — browser may execute uploaded files as scripts
# Without X-Frame-Options — clickjacking attacks succeed
# Without Referrer-Policy — sensitive URL parameters leak to third parties

Tools like SecurityHeaders.com and OWASP ZAP will flag missing headers in every security scan.

Set security headers consistently via middleware rather than per-route to ensure no endpoint is missed.

Using Helmet.js (Node.js):

const helmet = require("helmet");

app.use(helmet());  // Sets sensible defaults for all headers

// Or configure specific headers:
app.use(helmet({
  hsts: {
    maxAge: 31536000,  // 1 year
    includeSubDomains: true,
    preload: true
  },
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'"],
    }
  },
  frameguard: { action: "deny" },
  referrerPolicy: { policy: "strict-origin-when-cross-origin" },
}));

Manual header setting (any language):

# Django middleware or view decorator
response["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
response["X-Content-Type-Options"] = "nosniff"
response["X-Frame-Options"] = "DENY"
response["Referrer-Policy"] = "strict-origin-when-cross-origin"
response["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"