Blog
Security headers beyond CORS: hardening API responses
Combine CORS with Content-Type discipline, nosniff, and selective CORP/COOP where relevant.
1 min read
securityheadersapi
Baseline headers
X-Content-Type-Options: nosniff helps browsers avoid MIME sniffing surprises on JSON endpoints.
Referrer-Policy and Permissions-Policy tighten leakage from embedded contexts.
When proxies add headers
A CORS proxy can optionally append security headers to outbound responses for defense in depth.
Test that upstream cookies are not accidentally forwarded to untrusted browser clients.