Severity: Medium
Affected area: HTTP response headers (global)
Issue:
Common security headers are absent (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS), reducing defense-in-depth.
Mitigation plan:
- Add a centralized security-header middleware/helper.
- Set
X-Content-Type-Options: nosniff, X-Frame-Options: DENY, strict Referrer-Policy, minimal Permissions-Policy.
- Enable HSTS in HTTPS production environments.
Verification / tests:
- Header tests on key routes to assert all expected security headers.
Severity: Medium
Affected area: HTTP response headers (global)
Issue:
Common security headers are absent (
X-Content-Type-Options,X-Frame-Options,Referrer-Policy,Permissions-Policy,HSTS), reducing defense-in-depth.Mitigation plan:
X-Content-Type-Options: nosniff,X-Frame-Options: DENY, strictReferrer-Policy, minimalPermissions-Policy.Verification / tests: