missing-security-headers-anti-pattern
Installation
SKILL.md
Missing Security Headers Anti-Pattern
Severity: Medium
Summary
HTTP security headers defend against XSS, clickjacking, and man-in-the-middle attacks at the browser level. Applications failing to send these headers rely on insecure browser defaults, missing a powerful declarative security layer.
The Anti-Pattern
The anti-pattern is omitting security headers from HTTP responses. Browsers default to permissive policies; servers must instruct stricter controls.
BAD Code Example
# VULNERABLE: A Flask application that does not set any security headers.
from flask import Flask, make_response
app = Flask(__name__)