# Missing HTTP Security Headers

- ID: go-missing-security-headers
- Severity: MEDIUM
- CWE: Protection Mechanism Failure (CWE-693)
- Languages: Go
- Frameworks: gin, echo, fiber, chi, gorilla

## Description

HTTP responses lack security headers like X-Frame-Options or Content-Security-Policy.

## Detection Message

Application lacks important security headers

## Remediation

Add security headers in middleware applied to all routes.

```go
func securityHeaders(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("X-Frame-Options", "DENY")
        w.Header().Set("X-Content-Type-Options", "nosniff")
        w.Header().Set("Content-Security-Policy", "default-src 'self'")
        next.ServeHTTP(w, r)
    })
}
```

Learn more: https://shoulder.dev/learn/go/cwe-693/missing-security-headers

## Documentation

[object Object]

## Related Rules

- **Missing Healthcheck Configuration** [LOW]: 
- **Chi Missing Security Headers** [MEDIUM]: 
- **Echo Missing Security Headers** [MEDIUM]: 
- **Fiber Missing Security Headers** [MEDIUM]: 
- **Gin Missing Security Headers** [MEDIUM]: