mediumWeb Security

Missing HTTP Security Headers Expose Application to Common Attacks

What Is This Vulnerability?

HTTP security headers like X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, and Referrer-Policy instruct the browser to enable built-in protections. Without these headers, your application is vulnerable to clickjacking, MIME-type sniffing attacks, protocol downgrade attacks, and information leakage through referrer URLs.

Why It Happens

Many frameworks do not set security headers by default. Developers focus on application logic and overlook response headers because they are invisible to end users. Without automated security scans or header audits in CI, these omissions go unnoticed until a penetration test or breach reveals them.

Example Code

Vulnerablemiddleware.ts
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";

export function middleware(request: NextRequest) {
  const response = NextResponse.next();
  // No security headers set
  return response;
}
Fixedmiddleware.ts
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";

export function middleware(request: NextRequest) {
  const response = NextResponse.next();

  response.headers.set("X-Frame-Options", "DENY");
  response.headers.set("X-Content-Type-Options", "nosniff");
  response.headers.set(
    "Strict-Transport-Security",
    "max-age=63072000; includeSubDomains; preload",
  );
  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
  response.headers.set(
    "Permissions-Policy",
    "camera=(), microphone=(), geolocation=()",
  );

  return response;
}

How Hackers Exploit It

Attackers combine missing headers with other vulnerabilities. Without X-Content-Type-Options, a browser may interpret an uploaded file as executable HTML. Without X-Frame-Options, an attacker can embed your site in an iframe and trick users into clicking hidden buttons. Without HSTS, an attacker on the same network can downgrade connections to HTTP and intercept traffic.

How to Fix It

Add a centralized middleware or reverse proxy configuration that sets all recommended security headers on every response. Use tools like securityheaders.com to audit your headers. Add header checks to your CI pipeline so new deployments never ship without them.

Frequently Asked Questions

Which security headers are most important to add first?
Start with Strict-Transport-Security (HSTS) to enforce HTTPS, X-Content-Type-Options to prevent MIME sniffing, and X-Frame-Options to block clickjacking. Then add Content-Security-Policy and Referrer-Policy for deeper protection.
Can I set security headers in my CDN instead of my app?
Yes. CDNs like Cloudflare, Vercel, and AWS CloudFront allow you to add or override response headers at the edge. This is often simpler and ensures headers are present even if the origin server misconfigures them.
How do I test that my security headers are correct?
Use online scanners like securityheaders.com or Mozilla Observatory. For automated testing, add header assertions to your integration test suite or use a CI step that curls your staging URL and checks for required headers.

Related Security Topics

Missing HTTPS Redirect Exposes Traffic to Interception

Learn about missing https redirect exposes traffic to interception and how to fix it.

Clickjacking Vulnerability Due to Missing Frame Protection

Learn about clickjacking vulnerability due to missing frame protection and how to fix it.

Missing Subresource Integrity on CDN Scripts Enables Supply Chain Attacks

Learn about missing subresource integrity on cdn scripts enables supply chain attacks and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by missing http security headers expose application to common attacks.