diff --git a/Misconfigured-HTTP-Headers/MustContainCORSHeaders.yml b/Misconfigured-HTTP-Headers/MustContainCORSHeaders.yml
new file mode 100644
index 00000000..4a77adda
--- /dev/null
+++ b/Misconfigured-HTTP-Headers/MustContainCORSHeaders.yml
@@ -0,0 +1,57 @@
+id: MUST_CONTAIN_CORS_RESPONSE_HEADERS
+info:
+  name: Missing CORS Response Headers
+  description: "The response does not contain some CORS security headers."
+  details: >
+    "These headers control how and when resources can be accessed from other origins. They isolate your pages from other sites unless cross-origin access is explicitly allowed. This creates a secure context required for certain browser features."
+  impact: "Stops cross-origin data leaks and side-channel attacks."
+  category:
+    name: MHH
+    shortName: Misconfigured HTTP Headers
+    displayName: Misconfigured HTTP Headers (MHH)
+  subCategory: MUST_CONTAIN_RESPONSE_HEADERS
+  severity: LOW
+  tags:
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://web.dev/security-headers/"
+    - "https://www.keycdn.com/blog/http-security-headers"
+    - "https://www.invicti.com/white-papers/whitepaper-http-security-headers"
+  cwe:
+    - CWE-693
+  cve:
+    - CVE-2022-41915
+    - CVE-2022-37436
+
+attributes:
+  nature: INTRUSIVE
+  plan: STANDARD
+  duration: FAST
+
+
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    neq: "OPTIONS"
+execute:
+  type: single
+  requests:
+    - req: []
+
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_headers:
+    for_one:
+      key:
+        not_contains:
+          - Cross-Origin-Embedder-Policy
+          - Cross-Origin-Opener-Policy
+          - Cross-Origin-Resource-Policy
+strategy:
+  run_once: /
diff --git a/Misconfigured-HTTP-Headers/MustContainCachingHeaders.yml b/Misconfigured-HTTP-Headers/MustContainCachingHeaders.yml
new file mode 100644
index 00000000..8c6fe7d9
--- /dev/null
+++ b/Misconfigured-HTTP-Headers/MustContainCachingHeaders.yml
@@ -0,0 +1,58 @@
+id: MUST_CONTAIN_RESPONSE_HEADERS_CACHING
+info:
+  name: Missing Caching & Privacy Control Response Headers
+  description: "The response does not contain some Caching & Privacy Control headers."
+  details: >
+    "The endpoint seems to be missing some HTTP security headers which provide yet another layer of  security by helping to mitigate attacks and security vulnerabilities.<br>"
+    "<b>Background:</b> Whenever a browser requests a page from a web server, the server responds with  the content along with Caching & Privacy Control response headers. Some of these headers contain content meta data such  as the Content-Encoding, Cache-Control, status codes, etc. Along with these are also HTTP security  headers that tell your browser how to behave when handling your website's content. For example,  by using the Strict-Transport-Security you can force the browser to communicate solely over HTTPS."
+  impact: "This information can be used to facilitate more sophisticated attacks on your application."
+  category:
+    name: MHH
+    shortName: Misconfigured HTTP Headers
+    displayName: Misconfigured HTTP Headers (MHH)
+  subCategory: MUST_CONTAIN_RESPONSE_HEADERS
+  severity: LOW
+  tags:
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://web.dev/security-headers/"
+    - "https://www.keycdn.com/blog/http-security-headers"
+    - "https://www.invicti.com/white-papers/whitepaper-http-security-headers"
+  cwe:
+    - CWE-693
+  cve:
+    - CVE-2022-41915
+    - CVE-2022-37436
+
+attributes:
+  nature: INTRUSIVE
+  plan: STANDARD
+  duration: FAST
+
+
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    neq: "OPTIONS"
+execute:
+  type: single
+  requests:
+    - req: []
+
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_headers:
+    for_one:
+      key:
+        not_contains:
+          - Cache-Control
+          - Clear-Site-Data
+          - Pragma
+strategy:
+  run_once: /
diff --git a/Misconfigured-HTTP-Headers/MustContainContentSecurityHeaders.yml b/Misconfigured-HTTP-Headers/MustContainContentSecurityHeaders.yml
new file mode 100644
index 00000000..342336df
--- /dev/null
+++ b/Misconfigured-HTTP-Headers/MustContainContentSecurityHeaders.yml
@@ -0,0 +1,58 @@
+id: MUST_CONTAIN_CONTENT_SEC_RESPONSE_HEADERS
+info:
+  name: Missing Content & Framing Security Response Headers
+  description: "The response does not contain some Content & Framing Security security headers."
+  details: >
+    "These headers prevent untrusted scripts, styles, or content from executing in your pages. They stop MIME type sniffing and block your pages from being embedded in iframes. This helps reduce attack vectors like XSS and clickjacking."
+  impact: "Blocks XSS, clickjacking, and content injection attacks."
+  category:
+    name: MHH
+    shortName: Misconfigured HTTP Headers
+    displayName: Misconfigured HTTP Headers (MHH)
+  subCategory: MUST_CONTAIN_RESPONSE_HEADERS
+  severity: LOW
+  tags:
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://web.dev/security-headers/"
+    - "https://www.keycdn.com/blog/http-security-headers"
+    - "https://www.invicti.com/white-papers/whitepaper-http-security-headers"
+  cwe:
+    - CWE-693
+  cve:
+    - CVE-2022-41915
+    - CVE-2022-37436
+
+attributes:
+  nature: INTRUSIVE
+  plan: STANDARD
+  duration: FAST
+
+
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    neq: "OPTIONS"
+execute:
+  type: single
+  requests:
+    - req: []
+
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_headers:
+    for_one:
+      key:
+        not_contains:
+          - Content-Security-Policy
+          - X-Content-Type-Options
+          - X-Frame-Options
+          - X-Permitted-Cross-Domain-Policies
+strategy:
+  run_once: /
diff --git a/Misconfigured-HTTP-Headers/MustContainHSTSHeaders.yml b/Misconfigured-HTTP-Headers/MustContainHSTSHeaders.yml
new file mode 100644
index 00000000..758c5a17
--- /dev/null
+++ b/Misconfigured-HTTP-Headers/MustContainHSTSHeaders.yml
@@ -0,0 +1,55 @@
+id: MUST_CONTAIN_TRANSPORT_SEC_RESPONSE_HEADERS
+info:
+  name: Missing Transport Security Response Headers
+  description: "The response does not contain Transport Security headers."
+  details: >
+    "This category enforces the use of secure HTTPS connections between the client and server. It ensures that once a user connects securely, all future requests remain encrypted. This protects against downgrade attacks and interception of unencrypted traffic."
+  impact: "Blocks man-in-the-middle attacks over insecure channels."
+  category:
+    name: MHH
+    shortName: Misconfigured HTTP Headers
+    displayName: Misconfigured HTTP Headers (MHH)
+  subCategory: MUST_CONTAIN_RESPONSE_HEADERS
+  severity: LOW
+  tags:
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://web.dev/security-headers/"
+    - "https://www.keycdn.com/blog/http-security-headers"
+    - "https://www.invicti.com/white-papers/whitepaper-http-security-headers"
+  cwe:
+    - CWE-693
+  cve:
+    - CVE-2022-41915
+    - CVE-2022-37436
+
+attributes:
+  nature: INTRUSIVE
+  plan: STANDARD
+  duration: FAST
+
+
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    neq: "OPTIONS"
+execute:
+  type: single
+  requests:
+    - req: []
+
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_headers:
+    for_one:
+      key:
+        not_contains:
+          - Strict-Transport-Security
+strategy:
+  run_once: /
diff --git a/Misconfigured-HTTP-Headers/MustContainPrivacyFeatureHeaders.yml b/Misconfigured-HTTP-Headers/MustContainPrivacyFeatureHeaders.yml
new file mode 100644
index 00000000..3dfe4a7d
--- /dev/null
+++ b/Misconfigured-HTTP-Headers/MustContainPrivacyFeatureHeaders.yml
@@ -0,0 +1,56 @@
+id: MUST_CONTAIN_PRIVACY_RESPONSE_HEADERS
+info:
+  name: Missing Privacy & Feature Restriction Response Headers
+  description: "The response does not contain Privacy & Feature Restriction security headers."
+  details: >
+    "These headers limit what referrer information is shared when navigating to other sites. They also restrict access to powerful browser APIs like camera, microphone, and geolocation. This reduces the exposure of sensitive user data."
+  impact: "Minimizes data leaks and reduces browser attack surface."
+  category:
+    name: MHH
+    shortName: Misconfigured HTTP Headers
+    displayName: Misconfigured HTTP Headers (MHH)
+  subCategory: MUST_CONTAIN_RESPONSE_HEADERS
+  severity: LOW
+  tags:
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://web.dev/security-headers/"
+    - "https://www.keycdn.com/blog/http-security-headers"
+    - "https://www.invicti.com/white-papers/whitepaper-http-security-headers"
+  cwe:
+    - CWE-693
+  cve:
+    - CVE-2022-41915
+    - CVE-2022-37436
+
+attributes:
+  nature: INTRUSIVE
+  plan: STANDARD
+  duration: FAST
+
+
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    neq: "OPTIONS"
+execute:
+  type: single
+  requests:
+    - req: []
+
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_headers:
+    for_one:
+      key:
+        not_contains:
+          - Permissions-Policy
+          - Referrer-Policy
+strategy:
+  run_once: /
diff --git a/Misconfigured-HTTP-Headers/MustContainResponseHeaders.yaml b/Misconfigured-HTTP-Headers/MustContainResponseHeaders.yaml
index e91051a3..23f321f2 100644
--- a/Misconfigured-HTTP-Headers/MustContainResponseHeaders.yaml
+++ b/Misconfigured-HTTP-Headers/MustContainResponseHeaders.yaml
@@ -31,7 +31,7 @@ attributes:
   plan: STANDARD
   duration: FAST
 
-
+inactive: true
 api_selection_filters:
   response_code:
     gte: 200