no-missing-security-headers

Keywords: no missing security headers, security, ESLint rule, JavaScript, TypeScript, CWE-693

ESLint Rule: no-missing-security-headers. This rule is part of eslint-plugin-secure-coding.

Quick Summary

Vulnerability and Risk

Vulnerability: Missing security headers (like HSTS, X-Frame-Options, Content-Security-Policy) leaves the application vulnerable to various attacks.

Risk: Without these headers, applications are more susceptible to Man-in-the-Middle (MITM) attacks (missing HSTS), Clickjacking (missing X-Frame-Options), and Cross-Site Scripting (XSS) or Data Injection (missing CSP).

Rule Details

Why This Matters

Configuration

No configuration options available.

Examples

❌ Incorrect

// Example of incorrect usage

✅ Correct

// Example of correct usage

Configuration Examples

Basic Usage

// eslint.config.mjs
export default [
  {
    rules: {
      'secure-coding/no-missing-security-headers': 'error',
    },
  },
];

LLM-Optimized Output

🚨 no missing security headers | Description | MEDIUM
   Fix: Suggestion | Reference

Related Rules

• rule-name - Description

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Values from Variables

Why: Values stored in variables are not traced.

// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);

Mitigation: Validate all user inputs.

Wrapper Functions

Why: Custom wrappers not recognized.

// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internally

Mitigation: Apply rule to wrapper implementations.

Dynamic Invocation

Why: Dynamic calls not analyzed.

// ❌ NOT DETECTED - Dynamic
obj[method](userInput);

Mitigation: Avoid dynamic method invocation.

Further Reading

• OWASP Secure Headers Project - Best practices
• CWE-693: Protection Mechanism Failure - Official CWE entry