Missing Security Headers
detect, understand, remediate
Missing HTTP security headers leave applications vulnerable to clickjacking, XSS, MIME sniffing, and other client-side attacks that are easily prevented with proper header configuration.
No credit card required. Free plan available forever.
What are missing HTTP security headers?
HTTP security headers are response headers that instruct browsers to enable built-in security features, preventing cross-site scripting (XSS), clickjacking, MIME sniffing, and other client-side attacks. When these headers are missing, browsers fall back to their default (often insecure) behaviour, leaving users vulnerable to a wide range of attacks.
The six essential security headers are: Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Each addresses a specific attack vector, and together they form a critical defence-in-depth layer that complements server-side security controls.
Missing security headers are one of the most common findings in penetration tests and vulnerability assessments. They are easy to detect, straightforward to implement, and provide immediate security benefits, yet many production applications still ship without them because frameworks do not set them by default.
How it works
No CSP header
Without Content-Security-Policy, browsers execute any inline scripts or load resources from any origin, enabling XSS attacks to run arbitrary JavaScript in the user's session.
No HSTS header
Without Strict-Transport-Security, the first request to a site may go over HTTP, allowing a man-in-the-middle attacker to intercept or redirect the connection before HTTPS kicks in.
No X-Frame-Options
Without framing protection, an attacker can embed your application in an invisible iframe and trick users into clicking hidden UI elements (clickjacking).
No X-Content-Type-Options
Without nosniff, browsers may MIME-sniff responses and interpret uploaded files as executable content, turning file uploads into XSS vectors.
No Referrer-Policy
Without a referrer policy, full URLs (including query parameters with tokens or sensitive data) are leaked to third-party sites in the Referer header.
No Permissions-Policy
Without Permissions-Policy (formerly Feature-Policy), embedded content can access sensitive browser APIs like camera, microphone, geolocation, and payment.
Common causes
Default server configuration
Web servers (Nginx, Apache, IIS) and CDNs do not set security headers by default. Without explicit configuration, responses are sent without any security header protections.
Lack of awareness
Development teams may not understand the purpose or importance of each security header, leading them to omit headers they don't recognise or consider optional.
Framework defaults
Many web frameworks do not include security headers in their default response configuration, requiring developers to add middleware or configuration explicitly.
CSP complexity
Content-Security-Policy is notoriously difficult to configure correctly, especially for applications with inline scripts, third-party widgets, and CDN-hosted resources, leading teams to skip it entirely.
How to detect it
Automated detection
- SecPortal's security headers scanner checks all six essential headers and grades your configuration with specific remediation guidance
- Continuous monitoring alerts you when header configurations change or regress after deployments
- External scanning evaluates headers across all discovered subdomains and paths to identify inconsistent configurations
Manual testing
- Inspect response headers in browser developer tools (Network tab) for each of the six essential security headers
- Test CSP effectiveness by attempting to inject inline scripts and load external resources to verify the policy blocks them
- Attempt to iframe the application from an external page to verify X-Frame-Options or CSP frame-ancestors is working
How to fix it
Implement Content-Security-Policy
Start with a strict CSP that blocks inline scripts (script-src with nonces or hashes), restricts resource origins, and reports violations. Use CSP report-only mode to test before enforcing.
Deploy Strict-Transport-Security
Set HSTS with max-age=31536000, includeSubDomains, and preload. This ensures all future connections use HTTPS and prevents protocol downgrade attacks.
Set X-Frame-Options to DENY or SAMEORIGIN
Prevent your pages from being embedded in iframes on other sites. Use DENY unless you specifically need same-origin framing. CSP frame-ancestors provides more granular control.
Enable X-Content-Type-Options: nosniff
Prevent browsers from MIME-sniffing responses away from the declared Content-Type. This stops browsers from interpreting uploaded files as executable content.
Configure Referrer-Policy and Permissions-Policy
Set Referrer-Policy to strict-origin-when-cross-origin or no-referrer. Configure Permissions-Policy to disable unnecessary browser features like camera, microphone, and geolocation.
Compliance impact
Check your security headers
SecPortal grades your HTTP headers and tracks improvements over time. Try our free Security Headers Checker or start scanning.
No credit card required. Free plan available forever.