# Sample Finding (Sanitized)

**Title:** Missing HTTP Security Headers enable clickjacking + weaken browser protections

**Severity:** Medium

**Affected asset(s):**
- `https://example.yourdomain.com/` (representative)

## Summary
The primary web application responses are missing several standard HTTP security headers (e.g., `Content-Security-Policy`, `X-Frame-Options` / `frame-ancestors`, `Referrer-Policy`, `Permissions-Policy`). This increases risk of browser-based attacks such as clickjacking and reduces protection against certain classes of injection.

## Evidence (sanitized)
A request to the homepage returns a `200 OK` response without the following headers:
- `Content-Security-Policy`
- `X-Frame-Options` (or CSP `frame-ancestors`)
- `Referrer-Policy`
- `Permissions-Policy`

Example reproduction:
```bash
curl -sSI https://example.yourdomain.com/ | egrep -i 'content-security-policy|x-frame-options|referrer-policy|permissions-policy'
# (no output)
```

## Impact
- **Clickjacking:** Without frame protections, attackers can embed the site in an iframe and trick users into unintended actions.
- **Weaker injection containment:** A CSP meaningfully reduces blast radius for some XSS/injection paths.
- **Privacy leakage:** Missing `Referrer-Policy` can leak sensitive URL paths/query params to third parties.

## Recommended Fix
Set security headers at the edge (reverse proxy) or application layer.

**Baseline recommendation (adjust to your app):**
- `Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; base-uri 'self'; object-src 'none'`
- `Referrer-Policy: strict-origin-when-cross-origin`
- `Permissions-Policy: geolocation=(), camera=(), microphone=()`

If you can’t deploy a full CSP immediately, start with frame protections:
- `Content-Security-Policy: frame-ancestors 'none'` (preferred)
  - or `X-Frame-Options: DENY` (legacy)

## Verification / Retest
After deploying headers, re-run:
```bash
curl -sSI https://example.yourdomain.com/ | egrep -i 'content-security-policy|x-frame-options|referrer-policy|permissions-policy'
```
Confirm expected values appear on all key routes (login, app shell, API if applicable).

## Notes
This finding is intentionally sanitized for sales collateral. In a real engagement, we include exact endpoints tested, raw headers, and prioritized rollout guidance to avoid breaking legitimate third‑party integrations.