FinishKitMissing Security Headers
The app ships no security response headers, leaving it vulnerable to clickjacking, mixed content, MIME sniffing attacks, and cross-site scripting injection.
Typical error
No CSP, HSTS, X-Frame-Options, or X-Content-Type-Options set
What this is
Every HTTP response can include headers that tell the browser "lock down this page." Common ones:
Strict-Transport-Security: force HTTPSX-Frame-Options: DENY: prevent iframing (clickjacking)X-Content-Type-Options: nosniff: prevent MIME sniffingReferrer-Policy: strict-origin-when-cross-origin: limit referrer leakageContent-Security-Policy: control what resources can load
85% of scanned AI-built apps had none of these.
Why AI tools ship this
The generated app works without these headers. They are invisible on the happy path. They only matter when a researcher or attacker points them out.
How to detect
Hit your production URL and check response headers:
curl -sI https://your-app.vercel.app | grep -iE "(strict-transport|x-frame|x-content|content-security|referrer)"Empty output means you ship no security headers.
How to fix
In Next.js, add to next.config.mjs:
const securityHeaders = [
{ key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
]
const nextConfig = {
async headers() {
return [{ source: '/(.*)', headers: securityHeaders }]
},
}For CSP, generate a starter policy with a tool like csp-evaluator and tighten iteratively. A too-strict CSP breaks the app, so ship it in Content-Security-Policy-Report-Only first.
Related
- Glossary: secret exposure