HTTP headers for a more secure web application

The following headers are default when you enable Spring Security for a resource. If you are not using Spring Security you might want to add these manually. You might need to adjust the HSTS and X-Frame-Options to your needs so don’t just copy and paste here!

Cache-Control, Pragma, Expires

Prevent caching of resources that can leak information. Note that you might actually need to cache some resources in some systems.

X-Content-Type-Options

Prevent browsers from guessing the content type to protect agains polyglots.

Strict-Transport-Security

Require HTTPS for every connection after the first.

X-Frame-Options

Deny embedding in iframes to prevent click jacking.

X-XSS-Protection

Always block CSS when a filter catches it rather then try to fix it.

Wait, you need more (CSP)

Also you really should get a proper Content Security Policy in there as well. You can run your application in report only mode to check what you need to fine tune. Google has a great guide and evaluator that will get you set up.