Skip to content

Security Headers Middleware for Enhanced Protection #327

New issue
New issue
Open
Open
Security Headers Middleware for Enhanced Protection#327
@phertyameen

Description

@phertyameen
phertyameen
opened on Mar 19, 2026

Labels: middleware, security, headers, high-priority

Description:

Add comprehensive security headers to all responses to protect against common web vulnerabilities and attacks.

Requirements:

Set security headers on all API responses:

  • X-Content-Type-Options: nosniff (prevent MIME sniffing)
  • X-Frame-Options: DENY (prevent clickjacking)
  • X-XSS-Protection: 1; mode=block (XSS filter)
  • Strict-Transport-Security: enforce HTTPS
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: restrict browser features

Remove sensitive headers that leak information:

  • X-Powered-By (reveals technology stack)
  • Server (reveals server software)
  • Set cache control headers appropriately
  • Configure different headers for static vs dynamic content
  • Support HSTS preloading for production
  • Include security.txt file endpoint

Acceptance Criteria:

  • All security headers present in responses
  • No technology information leaked in headers
  • HSTS enforced in production (not in development)
  • Clickjacking prevented by X-Frame-Options
  • MIME type sniffing blocked
  • Cache control headers appropriate for content type
  • Security scanner tools (OWASP ZAP) show no header vulnerabilities
  • Headers configurable per environment
  • No breaking of legitimate functionality
  • Documentation provided for each security header

Headers to Set:

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • X-XSS-Protection: 1; mode=block
  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: geolocation=(), microphone=(), camera=()
  • X-DNS-Prefetch-Control: off
  • Headers to Remove:
  • X-Powered-By
  • Server
  • X-AspNet-Version
  • X-AspNetMvc-Version

Cache Control by Content Type:

  • Dynamic API responses: no-cache, no-store, must-revalidate
  • Static assets: public, max-age=31536000
  • User-specific data: private, no-cache

HSTS Configuration:

  • Development: Not enabled (allow HTTP)
  • Production: max-age=31536000 (1 year)
  • Include subdomains: Yes
  • Preload: Yes (submit to browser HSTS preload list)

Permissions Policy:

  • Disable geolocation (not needed)
  • Disable camera and microphone (not needed)
  • Disable payment API (until needed)
  • Disable USB (not needed)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions