Secure headers for REST

What are the specific HTTP headers that a mobile application must have for being secure?

Could you add to your question the Internet links that includes your preliminar research on the topic?

1 Like

OWASP Secure Headers
7 Security Response Headers
The 8 HTTP Security Headers Best Practices

all of them are explaining what are the secure headers for web applications, but no one say anything about mobile applications. Of course there are some headers that, I know, apply for both (web and mobile) but I want to know what are all of them.

Mobile apps generally use REST web services to transfer data between the server and the application, the headers that need validation are:

  • The ones from OWASP
  • HSTS
1 Like
  • The app has webviews?
  • The app communicates or not with a backend (REST or GraphQL)?

Could interact via many architectural reference communications: REST, GraphQL, Websockets, etc

1 Like

I think this might help
You can read the section on security headers.

@blue-snot It doesn’t use a webview. And it is a REST api.
@martial-wolf thanks it helped me alot.

So just to check, the problem after all was secure headers for REST API communication, independent if there is a mobile client or not?

Kindof. it wasn’t a problem, just a little confusion that I had about how really is working the app I am checking.

Then I will rename the topic to REST secure headers, that at the end is the question and the final answer.

Just for fun and profit, the only particularity about secure headers on mobile is regarding the appropiate way to handle the user-agent header:

1 Like

Asserts has implemented the relevant checks for REST headers:

1 Like

Great. Is this a bug or a feature: = {'content-type': '^(\\s)*.+(\\/|-).+(\\s)*;(\\s)*charset.*$', 'strict-transport-security': '^\\s*max-age=\\s*\\d+', 'x-content-type-options': '^\\s*nosniff\\s*$', 'x-frame-options': '^\\s*deny.*$'}

@dark-angelus If this topic is solved, please mark it as such by checking the solution chart at the bottom of the post you consider that properly answers your question. If not, please update the post with fuhrer information about the issue and/or the proposed solutions of the participants.