Missing / Weak Security Headers

What it is

Missing or weak CSP, HSTS, X-Frame-Options, etc., plus deep CSP analysis (unsafe-inline/eval, wildcards).

How attackers abuse it

Missing security headers leave the browser's built-in protections off, making attacks like clickjacking and cross-site scripting easier to pull off against your users.

Attacker playbook

1. 1Check the response headers for missing protections (CSP, HSTS, X-Frame-Options).
2. 2Use the gap to frame your site for clickjacking or to land an XSS payload.
3. 3Combine with another bug for bigger impact.

How VibeSec detects and confirms it

VibeSec checks for this with a passive, read-only scan that is safe to run on any site. We use VibeSec native and base the finding only on what your site already exposes publicly.

If this is in your report: how to fix it

• Set a Content Security Policy, HSTS, X-Content-Type-Options, X-Frame-Options, and a Referrer-Policy.
• Start CSP in report-only mode, then enforce it.
• Re-scan to confirm the headers are present on every response.