December 2, 2016

HTTP headers for a more secure web application

The following headers are default when you enable Spring Security for a resource. If you are not using Spring Security you might want to add these manually. You might need to adjust the HSTS and X-Frame-Options to your needs so don’t just copy and paste here!

Cache-Control, Pragma, Expires

Prevent caching of resources that can leak information. Note that you might actually need to cache some resources in some systems.


Prevent browsers from guessing the content type to protect agains polyglots.


Require HTTPS for every connection after the first.


Deny embedding in iframes to prevent click jacking.


Always block CSS when a filter catches it rather then try to fix it.

Wait, you need more (CSP)

Also you really should get a proper Content Security Policy in there as well. You can run your application in report only mode to check what you need to fine tune. Google has a great guide and evaluator that will get you set up.