Self-XSS (XSS that only affects the attacker's own session) - Missing security headers without demonstrated impact - Clickjacking without sensitive action - Rate limiting without demonstrated impact - SPF/DKIM/DMARC configuration issues - Social engineering of employees - Physical attacks - Denial o