MB-R096
Storefront and admin responses should include a baseline set of browser security headers, including CSP or frame-ancestors, X-Content-Type-Options, Referrer-Policy, and other appropriate hardening headers. Missing headers increase exposure to clickjacking, content sniffing, data leakage, and script injection impact. Apply headers consistently at the application, web server, or edge layer.
Browser security headers provide defense-in-depth against clickjacking, MIME sniffing, referrer leakage, downgrade attacks, and unsafe script behavior. Missing headers make successful browser-side attacks easier.
A Magento baseline should verify these headers across storefront, admin, checkout, and API responses, not just the homepage.
curl -I https://mystore.com/ | egrep -i "strict-transport-security|x-content-type-options|referrer-policy|content-security-policy|frame"
curl -I https://mystore.com/checkout | egrep -i "strict-transport-security|content-security-policy"
# Check storefront, admin, checkout, static asset, and API responses
HTTP response has no HSTS, CSP, Referrer-Policy, or nosniff header.
# Header baseline missing → FAIL
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
# Baseline present → PASS