GitHub Issue: 'djust_audit' Needs '--live' Mode to Catch Hidden Security Header Stripping in Production

A critical security gap has been exposed in the `djust_audit` tool, which currently relies on static analysis and cannot detect when security headers are silently stripped or rewritten by production infrastructure before reaching the client. The proposal calls for a new `--live <url>` mode—or a separate `djust_live_audit` command—that actively probes a running deployment to verify the presence of configured security headers and test WebSocket endpoint defenses against Cross-Site WebSocket Hijacking (CSWSH).

This enhancement is not theoretical; it stems directly from a penetration test conducted on April 10, 2026, against the `flexion/nyc-claims` project. The test revealed that while `django-csp` was correctly configured in `settings.py` with comprehensive directives like `CSP_SCRIPT_SRC` and `CSP_STYLE_SRC`, the crucial `Content-Security-Policy` header was entirely absent from live production HTTP responses. Static code audits would have passed, but the live deployment was vulnerable.

The failure highlights a dangerous blind spot where middleware ordering, Nginx or ingress configurations, CloudFront behaviors, or service mesh sidecars can intercept and remove headers without triggering any alarms in the codebase. Implementing a live audit capability is now framed as an essential step to close this operational security loophole, moving beyond configuration validation to actual runtime verification.