<![CDATA[Purpose – Digital transformation has made healthcare websites critical for patient services, yet regional providers in developing economies often face a "security-functionality" paradox. This study conducts an automated vulnerability assessment of the RS Mata Makassar website to profile browser-side security and discusses how observed misconfigurations could hypothetically affect clinical operations if exploited. Design/methodology/approach – The research employs a black-box Dynamic Application Security Testing (DAST) approach using the open-source Wapiti scanner. The methodology involves crawling public endpoints and performing non-intrusive fuzzing to evaluate declarative security controls, specifically Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and secure cookie attributes. Findings – While no critical injection flaws (SQLi/XSS) were detected, the assessment revealed a complete absence of basic security controls. Compliance scores reached 0/5 for CSP, 0/5 for HSTS, and 0/3 for secure cookie attributes. These results fall significantly below global healthcare benchmarks, exposing high vulnerability to session hijacking and protocol downgrades. Originality/value – This study audits browser-side security misconfigurations, specifically CSP, HSTS, and cookie attributes using a black-box DAST approach with Wapiti on a regional healthcare website. This study provides a low-cost technical audit approach for identifying browser-side security misconfigurations in a regional healthcare website.]]>
