What it is
Browsers honor security-focused headers such as Content-Security-Policy, X-Frame-Options, Referrer-Policy, Strict-Transport-Security, and others to control how pages load resources, frame content, or share referrer data. When these directives are missing or misconfigured, browsers fall back to permissive defaults, leaving applications exposed to injection, framing, or mixed-content issues.
Why it matters
Absent headers make it easier for attackers to execute cross-site scripting, clickjacking, or token theft because the browser is not told to enforce stricter behavior. Many compliance frameworks expect secure header baselines, and regressions often sneak in during deployments or CDN changes. Missing headers can therefore be both a security weakness and a policy violation.
How to reduce risk
- Define a baseline set of HTTP security headers and apply them consistently across web servers, CDNs, and serverless platforms.
- Test header behavior after deployments or configuration changes to prevent silent regressions.
- Automate scanning for header presence as part of CI/CD or external monitoring.