Missing HTTP security headers middleware
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
An Express app was detected with no helmet (or equivalent) dependency for setting standard security headers.
Why it matters
Without security headers, browsers fall back to permissive defaults: pages can be framed for clickjacking, MIME types get sniffed, and referrer data leaks. helmet sets a sensible baseline in one middleware call. This finding means the dependency is absent entirely, so none of those headers are coming from the app.
How to fix it
Install helmet and register it before your routes: app.use(helmet()). Review the defaults; the content security policy it ships may need tuning if your pages load scripts or images from other origins. For JSON APIs the defaults are usually safe to keep as is.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo