Security Headers
Based on OWASP's Rest Security Cheatsheet.
The following headers are recommended for all API responses:
Cache-Control: no-store
Prevents the browser and any intermediaries from caching the response. Ensures sensitive data isn’t stored and each request gets fresh data.
Sensitive data such as personal or financial information may be stored in browser cache and accessed by unauthorized users on shared or compromised systems.
Content-Security-Policy: frame-ancestors 'none'
Blocks the API response from being embedded in frames or iframes, protecting against clickjacking.
A malicious website can embed the page in a hidden iframe to trick users into clicking actions intended for another application (clickjacking).
Content-Type
Specifies the correct type of content and prevents the browser from guessing and misinterpreting the response type (MIME sniffing).
A browser may interpret a text response as executable JavaScript, enabling execution of untrusted scripts and leading to cross-site scripting (XSS).
Strict-Transport-Security
Forces the browser to use HTTPS for future requests to the domain, protecting against downgrade attacks and insecure connections.
An attacker on the network can intercept initial HTTP connections and redirect traffic to a malicious site or capture credentials (SSL stripping).
X-Content-Type-Options: nosniff
Ensures the browser respects the declared Content-Type and doesn’t attempt MIME sniffing.
A file served with an incorrect MIME type may be executed as active content by the browser, allowing XSS or other script-based attacks.
X-Frame-Options: DENY
Similar to frame-ancestors, it blocks the response from being framed, offering clickjacking protection.
The application could be embedded in a frame and manipulated to perform unauthorized actions through deceptive UI overlays (clickjacking).
The following headers mainly enhance security for HTML responses:
Content-Security-Policy
Primarily affects HTML pages by controlling what content can be loaded. Not useful for APIs that don’t return HTML.
Permissions-Policy
Controls access to browser features. Useful mostly in browsers rendering HTML. Can still be applied broadly as a safeguard.
Referrer-Policy
Controls what referrer information is sent with requests. Has minimal impact on non-HTML responses, but safe to include.
Last updated
Was this helpful?