The 7 Security Headers Your API Is Missing
(And Why Attackers Love It)

TL;DR

1. Strict-Transport-Security (HSTS)

What it does: Forces HTTPS. No exceptions. No downgrade to HTTP.

Without it: An attacker on the same network (coffee shop, airport) can intercept the initial HTTP request before it redirects to HTTPS. That's enough to steal credentials or inject malicious content.

The fix:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

2. Content-Security-Policy (CSP)

What it does: Controls which resources can load on your page. The single most effective header against XSS.

Without it: Any script injection vulnerability becomes immediately exploitable. XSS payloads can load external scripts, exfiltrate data, or hijack sessions.

The fix:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'

Pro tip: Use hash-based CSP instead of 'unsafe-inline' for scripts:

# Generate SHA-256 hash for inline scripts
echo -n "your script content" | openssl dgst -sha256 -binary | openssl base64

Then reference: script-src 'sha256-BASE64HASH'

3. X-Content-Type-Options

What it does: Prevents MIME type sniffing. The browser trusts what you tell it, not what it guesses.

Without it: An attacker uploads a file with a .jpg extension containing JavaScript. Without this header, some browsers will execute it.

The fix:

X-Content-Type-Options: nosniff

One line. No configuration. Just add it.

4. X-Frame-Options

What it does: Prevents your page from being loaded in an iframe.

Without it: Clickjacking attacks. An attacker overlays your login page inside a transparent iframe on their site. Users click what they think is a harmless button — actually submitting credentials to your page.

The fix:

X-Frame-Options: DENY

Or SAMEORIGIN if you need to embed your own pages.

5. Referrer-Policy

What it does: Controls what URL information is sent in the Referer header when users navigate away from your page.

Without it: Session tokens in URLs get leaked to external sites. API keys in query parameters get sent to analytics services. Internal paths get exposed to third parties.

The fix:

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy

What it does: Controls which browser features your page can use (camera, microphone, geolocation, etc.).

Without it: If an attacker injects code, they can access the user's camera, microphone, or location without additional prompts.

The fix:

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Explicitly deny everything you don't need.

7. X-XSS-Protection

What it does: Enables the browser's built-in XSS filter.

The fix:

X-XSS-Protection: 1; mode=block

Why This Matters for Fintech

If you're processing payments, handling PII, or operating under PSD2/PCI-DSS requirements:

• PCI-DSS 4.0 now requires HSTS and CSP for web-facing applications
• PSD2 Strong Customer Authentication assumes secure transport (HSTS is baseline)
• GDPR requires "appropriate technical measures" — security headers are the minimum

Not having these headers isn't just a security risk — it's a compliance gap.

What a Grade A Looks Like

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-...'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
X-XSS-Protection: 1; mode=block

We practice what we preach. Scan our sites to verify.