Security Headers | Secure Legion Labs

Misconfiguration Lab

Security Headers Hardening

This room simulates a production app with weak response headers. Your goal is to review what is missing, apply a hardened configuration, and reduce the browser-side attack surface before a client launch.

ObjectiveHarden the responseEnable the right security headers and use safe values.

FocusBrowser protectionsLock down framing, sniffing, transport, CSP, and data exposure.

FlagUnlock after full fixThe flag appears only when the misconfiguration baseline is fully secured.

Review Scope

Known weaknesses in the target app

Clickjacking risk

The application can currently be embedded inside third-party frames.

Transport weakness

Browsers are not forced to stay on HTTPS after the first visit.

Content injection surface

No restrictive CSP is present, so injected scripts and loose asset loading are easier to abuse.

Target State

What “secure enough” means here


                            X-Frame-Options: DENY

                            X-Content-Type-Options: nosniff

                            Strict-Transport-Security: max-age=31536000; includeSubDomains

                            Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'

                            Referrer-Policy: strict-origin-when-cross-origin

The room checks whether your chosen values actually match a sensible hardened baseline, not just whether a header exists.

Configuration Panel

Apply hardening controls

Toggle the required protections on, then generate the secure response. Some controls also need the correct production-safe value to count as fixed.

Blocks framing. `DENY` is the strongest fit for this room.

Prevents MIME type sniffing for risky responses.

Short-lived HSTS is not enough here. Use the long-lived production value.

A permissive CSP does not count as a fix. The stricter policy does.

Limit how much referrer data leaks to external destinations.

Response preview

Server Output

Rendered security review

The preview below shows the effective response after your selections are applied. Missing or weak controls stay visible until the baseline is fully secured.

No configuration applied yet.

Status: the app still reflects the insecure default profile.

Flag Unlock

Challenge flag

Once the response is fully hardened, the flag will unlock here.

Flag:

Submit Flag

Validate completion

Submit the flag after you harden the configuration properly.

Flag is locked until the misconfiguration baseline is fully fixed.

Hardening Flow

How this configuration review works

1. Inspect missing headers

Review what protections are absent or weak in the current response.

2. Apply secure values

Turn on the necessary controls and choose production-safe values rather than symbolic fixes.

3. Validate the baseline

Once every required header is present with the correct value, the room unlocks the flag.