Secure Headers Audit (A05:2021)

Analyze PHP code for missing or misconfigured HTTP security headers.

Detection Patterns

1. Missing Content-Security-Policy (CSP)

// VULNERABLE: No CSP — allows XSS via inline scripts
class ResponseMiddleware
{
    public function handle(Request $request, Response $response): Response
    {
        // No Content-Security-Policy header
        return $response;
    }
}