Header Audit

Missing CSP / Headers

Responses ship without a Content Security Policy or `X-Frame-Options`, so the page can be framed and inline scripts run unrestricted.

Back to hub Reload scenario
Header audit 

  
  


      

    


    

      

        
Expected Findings

        
    
          
  • `Content-Security-Policy` header is not set.
  • `X-Frame-Options` is missing, so the app can be framed for clickjacking.
  • `Strict-Transport-Security` is also absent.
    • 
        

      


      

      

        
Signals

        
        

          
Bug

          
// no middleware sets CSP / XFO / HSTS

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.