Single Page Application HTTP Headers

Tom Szpytman
Feb 27 · 1 min read

Securing a Single Page Application (SPA) is a two part process; both your API and your static content server need to be secure. On an API level, you might want to add a strict CORS policy to limit access to your various endpoints. The service which serves your static content will also need to be locked down to prevent client-side attacks. This can be achieved by adding the following (non exhaustive list) of HTTP headers:

X-Frame-Options

X-XSS-Protection

Strict-Transport-Security

Expect-CT

X-Content-Type-Options

Feature-Policy

Content-Security-Policy (generate a bulletproof CSP using Report URI)

More From Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade