Tingg

Objectives:-
The application responses do not include several recommended HTTP security headers that help protect against common client-side attacks such as Cross-Site Scripting (XSS), clickjacking, MIME-type sniffing, and information leakage via referrer headers. The absence of these headers weakens browser-level security controls and increases the overall attack surface.

Steps:-
Open the application in a browser.
Capture a page request using Burp Suite or Browser Developer Tools.
Inspect the HTTP response headers.
Observe that the following security headers are missing or not configured.

Header Purpose

Content-Security-Policy Prevents XSS, data injection, and clickjacking
Referrer-Policy Prevents leakage of sensitive data via referrer
Permissions-Policy Restricts browser features (camera, mic, etc.)

1. CSP is too minimal.
Need:-Content-Security-Policy:
default-src 'self';
frame-ancestors 'none';
script-src 'self';
object-src 'none';

2. Referrer-Policy: policy_value
It should, Referrer-Policy: no-referrer or, Referrer-Policy: strict-origin-when-cross-origin

3. Permission Policy: should be like this: Permissions-Policy: camera=(), microphone=(), geolocation=()
4. X-Frame Options not required.

Expected Result:-
The application should include appropriate HTTP security headers in all UI responses to enforce browser-side security controls and reduce the risk of client-side attacks.

Actual Result:-
The application responses lack multiple recommended security headers, leaving the application without adequate browser-level protections.

Please find the below link for reference:-
https://thehigherpitch-my.sharepoint.com/:i:/p/rashmita_rout/IQARzxDf8O1ISaPcNF629hQfATMepbn4CNouJ1VtxZ2w6tY?e=RgtfVz