Single Page Application HTTP Headers

Securing a Single Page Application (SPA) is a two part process; both your API and your static content server need to be secure. On an API level, you might want to add a strict CORS policy to limit access to your various endpoints. The service which serves your static content will also need to be locked down to prevent client-side attacks. This can be achieved by adding the following (non exhaustive list) of HTTP headers:

X-Frame-Options

X-XSS-Protection

Strict-Transport-Security

Expect-CT

X-Content-Type-Options

Feature-Policy

Content-Security-Policy (generate a bulletproof CSP using Report URI)

Written by

Full-stack + Product. Available for hire either as an independent contractor, or as part of a voliyo.dev team. Inquiries: mail [at] voliyo.dev.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store