Skip to main content
VibeAudit Liability Index
mediumCORS/security-header riskFix order 8

Security Header Paper Shield

What it is

Deployment header configuration lacks one or more baseline browser security headers.

This usually appears when generated code proves that a feature works but does not leave enough evidence that the launch boundary was checked.

How to fix it

Add a scoped Content-Security-Policy and Strict-Transport-Security on HTTPS deployments, then smoke-test deployed headers.

  1. 1Add a scoped Content-Security-Policy and Strict-Transport-Security in deployment config.
  2. 2Roll CSP out report-only first, then enforce once reports are clean.
  3. 3Smoke-test the deployed headers after every deploy.

How VibeAudit checks for this

VibeAudit checks this with Q0_EXTERNAL_SHALLOW response-header observations, one CORS Origin probe, and SAST_LOCAL_STRUCTURAL CORS or header configuration evidence when supplied. The free tier may show the surface name only, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.

Related failure modes

Check your public launch surface and keep unsupported scope visible.

Run Quick Scan