SEC013warningPro

missing-security-headers

Web applications should set HSTS and CSP security headers

Applies to: JavaScript, MJS, TypeScript

Why this matters

Without Strict-Transport-Security (HSTS), browsers may connect over plain HTTP, enabling man-in-the-middle attacks. Without Content-Security-Policy (CSP), the application is more vulnerable to XSS attacks. These headers are easy to add and provide significant security improvements.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC013 includedstablestack explain SEC013

SEC013 is part of the Pro rule set. See pricing — the free tier ships 24 checks with no signup.

False positive in your codebase? Suppress a single line with # noqa: SEC013