# Missing Security Headers

- ID: python-missing-security-headers
- Severity: MEDIUM
- CWE: CWE-16 (CWE-16)
- Languages: Python
- Frameworks: django, flask, fastapi

## Description

Detects missing security headers like HSTS, X-Content-Type-Options,
X-XSS-Protection, Referrer-Policy, and Permissions-Policy. These headers
provide defense-in-depth against various attacks.

NOTE: This rule only applies to app setup files (settings.py, middleware,
app.py, etc.). Security headers should be configured at the application
level, not in individual view handlers.

## Detection Message

Application missing important security headers

## Remediation

Add security headers via middleware: HSTS, X-Content-Type-Options, X-Frame-Options, and CSP.

```python
from flask import Flask

app = Flask(__name__)

@app.after_request
def set_security_headers(response):
    response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
    response.headers['X-Content-Type-Options'] = 'nosniff'
    response.headers['X-Frame-Options'] = 'DENY'
    response.headers['Content-Security-Policy'] = "default-src 'self'"
    return response
```

Learn more: https://shoulder.dev/learn/python/cwe-16/missing-security-headers

## Documentation

[object Object]