Severity: Medium · Area: backend/security · Evidence: acbu-backend/src/index.ts
Impact: Missing headers increase XSS/clickjacking impact for any HTML served. Fix direction: Helmet defaults + CSP for any static docs. Acceptance check: securityheaders.io A- or documented exceptions.
Severity: Medium · Area: backend/security · Evidence: acbu-backend/src/index.ts
Impact: Missing headers increase XSS/clickjacking impact for any HTML served. Fix direction: Helmet defaults + CSP for any static docs. Acceptance check: securityheaders.io A- or documented exceptions.