Single Page Application HTTP Headers

Securing a Single Page Application (SPA) is a two part process; both your API and your static content server need to be secure. On an API level, you might want to add a strict CORS policy to limit access to your various endpoints. The service which serves your static content will also need to be locked down to prevent client-side attacks. This can be achieved by adding the following (non exhaustive list) of HTTP headers:







Content-Security-Policy (generate a bulletproof CSP using Report URI)

Written by

Full-stack + Product. Available for hire either as an independent contractor, or as part of a team. Inquiries: mail [at]

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store