F-2025-0013·configuration
Missing security headers
TL;DR
Common defense-in-depth security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy) were not set on the application responses.
Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description
Description
The application responses did not include common security headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, Referrer-Policy, X-Content-Type-Options. These are defense-in-depth controls; missing them widens the impact surface of related issues.
03Section · Recommendation
Recommendation
Set a baseline header policy via middleware or the hosting platform: strict CSP, HSTS with preload, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, X-Content-Type-Options nosniff, and a Permissions-Policy locking down unused APIs.
Initia: Acknowledged. Pashov Audit Group: Acknowledged.