Missing Security Headers

Missing HTTP security headers leave applications vulnerable to clickjacking, MIME sniffing, XSS, and information disclosure. Learn which headers are essential and how to configure them.

Affects: C#JavaJavaScriptPHPPythonGoRuby

Table of contents

What are Missing Security Headers?
Key security headers and their purpose
Vulnerable code examples
ASP.NET Core — no security headers
Express / Node.js — no helmet
Secure code examples
ASP.NET Core — security headers middleware
Express / Node.js — helmet
Python / Django
What Offensive360 detects
Remediation guidance
References

What are Missing Security Headers?

HTTP security headers are response headers that instruct browsers to enable or restrict specific behaviors, providing an additional layer of defense against common web attacks. When these headers are absent, applications are exposed to attacks that browsers could otherwise block.

Missing security headers are not direct vulnerabilities by themselves — they are defense-in-depth controls. However, their absence often means that other vulnerabilities (XSS, clickjacking, MIME confusion) are more easily exploitable. Security scanners, compliance audits, and penetration tests routinely flag missing headers.

The most impactful headers to implement are: Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, and Referrer-Policy.

Key security headers and their purpose

Header	Default risk if missing	Recommended value
`Content-Security-Policy`	XSS, data injection	`default-src 'self'; ...`
`X-Frame-Options`	Clickjacking	`DENY`
`Strict-Transport-Security`	SSL stripping	`max-age=31536000; includeSubDomains`
`X-Content-Type-Options`	MIME sniffing	`nosniff`
`Referrer-Policy`	Data leakage in Referer	`strict-origin-when-cross-origin`
`Permissions-Policy`	Feature abuse	`camera=(), microphone=(), geolocation=()`

Vulnerable code examples

ASP.NET Core — no security headers

// VULNERABLE: Default middleware pipeline — no security headers added
var app = builder.Build();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.MapControllers();
app.Run();
// Missing: security headers middleware

Express / Node.js — no helmet

// VULNERABLE: No security headers configured
const app = express();
app.use(express.json());
// Missing: helmet or manual header configuration

Secure code examples

ASP.NET Core — security headers middleware

// SECURE: Add security headers to all responses
app.Use(async (ctx, next) => {
    ctx.Response.Headers.Add("X-Content-Type-Options", "nosniff");
    ctx.Response.Headers.Add("X-Frame-Options", "DENY");
    ctx.Response.Headers.Add("Referrer-Policy", "strict-origin-when-cross-origin");
    ctx.Response.Headers.Add("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
    ctx.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
    ctx.Response.Headers.Add("Content-Security-Policy",
        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;");
    await next();
});

Express / Node.js — helmet

// SECURE: helmet configures all essential headers with secure defaults
const helmet = require('helmet');

app.use(helmet({
    contentSecurityPolicy: {
        directives: {
            defaultSrc: ["'self'"],
            scriptSrc: ["'self'"],
            styleSrc: ["'self'", "'unsafe-inline'"],
        }
    },
    hsts: { maxAge: 31536000, includeSubDomains: true },
    frameguard: { action: 'deny' },
    noSniff: true,
    referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
}));

Python / Django

# SECURE: Django security middleware settings
# settings.py
SECURE_BROWSER_XSS_FILTER = True          # X-XSS-Protection (legacy)
SECURE_CONTENT_TYPE_NOSNIFF = True        # X-Content-Type-Options: nosniff
X_FRAME_OPTIONS = 'DENY'                  # X-Frame-Options: DENY
SECURE_HSTS_SECONDS = 31536000            # Strict-Transport-Security
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True

What Offensive360 detects

Missing X-Content-Type-Options — Absent header enabling MIME sniffing attacks
Missing X-Frame-Options — No framing protection (clickjacking risk)
Missing Strict-Transport-Security — HTTPS not enforced after initial connection
Missing or weak Content-Security-Policy — Absent CSP or overly permissive default-src *
Missing Referrer-Policy — URL data leakage via Referer header to third parties
Server version disclosure — Server and X-Powered-By headers revealing technology stack

Remediation guidance

Apply security headers globally — Use middleware that adds headers to every response, rather than per-controller or per-endpoint configuration.
Start with a strict CSP — Begin with default-src 'self' and relax specific directives only as needed. Avoid unsafe-eval and unsafe-inline.
Enable HSTS — Once your site is fully HTTPS, enable Strict-Transport-Security with a long max-age and submit to the HSTS preload list.
Remove information-disclosure headers — Remove or override Server, X-Powered-By, X-AspNet-Version, and similar headers that reveal technology versions.
Test with automated tools — Use securityheaders.com or OWASP ZAP to audit header configuration before deployment.

References

Related vulnerabilities

Clickjacking Cross Site Scripting Http Response Splitting

By Offensive360 Security Research Reviewed: March 2026

Detect Missing Security Headers automatically

Run Offensive360 SAST on your codebase to find this and 100+ other vulnerabilities.

Scan Your Code Learn More