Headers & Infrastructure

The Content-Security-Policy (CSP) header is absent, leaving browsers without instructions on which sources of scripts, styles, and resources to trust.

The X-Frame-Options header is absent, allowing attackers to embed your app in an invisible iframe and trick users into clicking your UI elements (clickjacking).

The X-Content-Type-Options: nosniff header is absent, allowing browsers to guess (sniff) the content type of a response and potentially execute content as script.

The Strict-Transport-Security header is absent, allowing browsers to connect over plain HTTP and enabling downgrade attacks where an attacker intercepts unencrypted traffic.

Session cookies set without the Secure flag, allowing them to be transmitted over unencrypted HTTP connections and intercepted by attackers on the network.

Session or auth cookies accessible to JavaScript via document.cookie, enabling XSS attacks to steal session tokens directly from the browser.

Cookies missing the SameSite attribute (or set to None without Secure), enabling cross-site request forgery by allowing cookies to be sent with cross-origin requests.

Server accepting obsolete TLS versions (TLS 1.0, TLS 1.1) or weak cipher suites, enabling downgrade attacks that decrypt supposedly encrypted traffic.