No security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy)
The application did not return common defense-in-depth security headers, leaving the browser without baseline protections against XSS, clickjacking, and protocol downgrade.
Description
Responses did not include common security headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options (or CSP frame-ancestors), Referrer-Policy, and related browser-level protections. These do not stop bugs at the source, but they significantly raise the cost of exploitation when paired with XSS, clickjacking, or man-in-the-middle scenarios.
Impact
- XSS impact is larger: a CSP would have blocked inline scripts or restricted external script origins.
- Clickjacking is possible: no X-Frame-Options or CSP
frame-ancestors. - HTTPS downgrade scenarios are not prevented by HSTS.
- Referrer leakage to third parties is more permissive than necessary.
Recommendation
Add a baseline header set via Next.js middleware or hosting platform configuration: Content-Security-Policy (start strict, allowlist your real sources), Strict-Transport-Security: max-age=63072000; includeSubDomains; preload, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, X-Content-Type-Options: nosniff, and Permissions-Policy to lock down unused APIs.
Ipal Network: Confirmed. Zealynx: Fixed.