Insecure Headers in Windsurf Apps

Windsurf generates functional web applications but almost never configures HTTP security headers. Missing headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security leave the application exposed to entire categories of browser-based attacks.

Scan Your Windsurf App

How It Happens

Windsurf's Cascade agent focuses on building features, not infrastructure security. When it generates a Next.js, Express, or Vite project, the server configuration includes routing and middleware for the application logic but omits security headers entirely. Security headers require understanding the application's specific needs. A Content-Security-Policy must list all legitimate script sources, which Cascade cannot determine from a feature prompt. Rather than generating an incorrect CSP that breaks the app, Cascade generates none at all. Even when developers ask Cascade to "add security headers," the generated configuration is often incomplete or overly permissive. A CSP with unsafe-inline and unsafe-eval defeats the purpose of having a CSP. Windsurf apps deployed to platforms like Vercel or Netlify miss the opportunity to configure headers in platform-specific config files (vercel.json, _headers) because Cascade does not generate these by default.

Impact

Without X-Frame-Options or a CSP frame-ancestors directive, attackers can embed your Windsurf app in an iframe on a malicious site and trick users into clicking hidden elements (clickjacking). This is especially dangerous for apps with sensitive actions like payments or account changes. Missing Content-Security-Policy allows any injected script to execute without restriction, making XSS vulnerabilities far more exploitable. CSP acts as a safety net that limits damage even when other defenses fail. Without Strict-Transport-Security, users who type your domain without https:// can be intercepted by a man-in-the-middle attack during the initial HTTP request, even if the server eventually redirects to HTTPS.

How to Detect

Open your Windsurf app in a browser, open DevTools, and go to the Network tab. Click on the main document request and inspect the response headers. Look for the absence of Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, and Permissions-Policy. Use curl -I https://your-app.com to quickly view response headers from the command line. Any missing security header is a finding. Vibe App Scanner checks all security-relevant response headers and provides specific remediation for each missing header based on your application's framework and hosting platform.

How to Fix

For Next.js apps generated by Windsurf, add security headers in next.config.js using the headers() function. Define Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Strict-Transport-Security with a long max-age, and Permissions-Policy. For Express backends, add the helmet middleware which sets sensible security headers by default. Run npm install helmet and add app.use(helmet()) before your routes. For static deployments on Vercel, create a vercel.json with a headers section. For Netlify, create a _headers file in the publish directory. These platform-specific methods ensure headers are set even for static assets. Start with a restrictive CSP and loosen it only as needed. Begin with default-src 'self' and add specific sources for scripts, styles, images, and fonts as your app requires them.

Code Examples

Security headers in a Next.js config

Vulnerable

// next.config.js generated by Windsurf
const nextConfig = {
  // No security headers configured
}
module.exports = nextConfig

Secure

// next.config.js with security headers
const nextConfig = {
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: [
          { key: 'X-Content-Type-Options', value: 'nosniff' },
          { key: 'X-Frame-Options', value: 'DENY' },
          { key: 'Strict-Transport-Security',
            value: 'max-age=63072000; includeSubDomains; preload' },
          { key: 'Referrer-Policy',
            value: 'strict-origin-when-cross-origin' },
          { key: 'Permissions-Policy',
            value: 'camera=(), microphone=(), geolocation=()' },
        ],
      },
    ]
  },
}
module.exports = nextConfig

Frequently Asked Questions

Which security headers should every Windsurf app have?

At minimum: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security with max-age of at least one year, and Referrer-Policy: strict-origin-when-cross-origin. Content-Security-Policy is also strongly recommended but requires customization per app.

Will adding security headers break my Windsurf app?

X-Content-Type-Options and Strict-Transport-Security are safe to add immediately. X-Frame-Options: DENY is safe unless your app is intentionally embedded in iframes. Content-Security-Policy and Permissions-Policy require testing since they may block legitimate resources.

Why doesn't Windsurf generate security headers automatically?

Security headers depend on the specific resources and behaviors of each application. A Content-Security-Policy that works for one app would break another. Windsurf avoids generating headers that could cause errors, but this means no security headers are set at all.

Related Security Resources

Windsurf XSS Vercel Insecure Headers Replit Insecure Headers

Is Your App Vulnerable?

VAS automatically scans for insecure headers and other security issues in Windsurf apps. Get actionable results with step-by-step fixes.

Scans from $5, results in minutes.

Get Starter Scan View Pricing