[Security] Missing HTTP Security Headers and Security Misconfiguration Vulnerabilities

[KAYO-ult]

Description

I performed a security assessment on the deployed application using a website vulnerability scanner and identified several security misconfigurations related to missing HTTP security headers and exposed HTTP methods.

These issues may weaken browser-side protection mechanisms and increase the application's exposure to attacks such as XSS, MIME-type sniffing, and information leakage.

I would like to work on fixing these issues under GSSoC'26.

---

Vulnerabilities Identified

Missing Security Headers

The following HTTP security headers are currently absent:

• Content-Security-Policy (CSP)
• X-Content-Type-Options
• Referrer-Policy

Potential Risks

• Increased susceptibility to Cross-Site Scripting (XSS)
• MIME-type sniffing vulnerabilities
• Referrer information leakage
• Security misconfiguration exposure

---

HTTP OPTIONS Method Enabled

The server currently responds to HTTP OPTIONS requests with:

Allow: GET, HEAD, OPTIONS

Exposing unnecessary HTTP methods may reveal additional server behaviour and increase reconnaissance surface area.

---

Suggested Fixes

Add Recommended Security Headers

Content-Security-Policy: default-src 'self';
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer

Harden HTTP Method Configuration

• Disable unnecessary HTTP methods where possible
• Restrict server responses to only required methods

---

References

• OWASP Top 10 — Security Misconfiguration
• CWE-693
• CWE-1021
• MDN Web Security Headers Documentation

---

Expected Outcome

• Improved browser-side security protections
• Reduced attack surface
• Better HTTP security hardening
• Improved OWASP security compliance

---

Additional Notes

The issues were identified through automated vulnerability scanning during testing of the deployed application.

I am contributing to this issue under GSSoC'26.