Skip to main content

Cryptographic vulnerabilities expose data in transit or allow traffic interception. These issues typically stem from missing or misconfigured security headers and overly permissive CORS policies.

misconfigured-security-headers

High What it is HTTP response headers that protect against common browser-side attacks are missing or misconfigured. These include HSTS, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options. Why it matters Security headers are the browser’s last line of defense. Missing headers leave users vulnerable to downgrade attacks, clickjacking, MIME-type sniffing, and XSS escalation — even if the application code itself is secure. How QAOS detects it The agent checks HTTP response headers for the presence and correctness of key security headers. Commonly missing headers
HeaderRisk if missing
Strict-Transport-SecurityHTTP downgrade attacks
Content-Security-PolicyXSS escalation
X-Frame-OptionsClickjacking
X-Content-Type-OptionsMIME sniffing
Referrer-PolicyURL leakage
How to fix Add these headers to your server’s response: 
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'; script-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Most frameworks support middleware for this: 
// Express.js with Helmet
const helmet = require('helmet')
app.use(helmet())

misconfigured-cors

High What it is The server returns Access-Control-Allow-Origin: * (or reflects any origin) on endpoints that return sensitive data, allowing any website to make authenticated cross-origin requests and read the response. Why it matters A wildcard CORS policy combined with Access-Control-Allow-Credentials: true allows any malicious website to make requests to your API on behalf of your logged-in users and read the response. This effectively bypasses the Same-Origin Policy. How QAOS detects it The agent checks HTTP response headers for Access-Control-Allow-Origin: * or reflected origin values on sensitive API endpoints. Examples 
# Vulnerable: wildcard CORS on authenticated API
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
How to fix Maintain an explicit allow-list of trusted origins and validate against it: 
# FastAPI CORS middleware
from fastapi.middleware.cors import CORSMiddleware
app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://app.example.com"],  # explicit list, never "*"
    allow_credentials=True,
    allow_methods=["GET", "POST"],
)