1

OWASP Security Headers Project recommends the following security headers for web applications. Out of the following which headers are relevant to mobile applications?

HTTP Strict Transport Security (HSTS)
Public Key Pinning Extension for HTTP (HPKP)
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy
X-Permitted-Cross-Domain-Policies
Referrer-Policy

I know usage of X-Frame-Options, HTTP Strict Transport Security (HSTS) etc. is irrelevant for native and webview based mobile applications.

Anders
  • 64,406
  • 24
  • 178
  • 215
Shiv Sahni
  • 921
  • 8
  • 16
  • What do you mean by irrelevant? Do you mean they are not implemented at this point in time? That doesn't make them irrelevant, they might get implemented later. So, read as: all of them. – Tobi Nary Sep 24 '17 at 08:03
  • @SmokeDispenser there is no point of adding HSTS header for mobile applications as the URLs are hardcoded in the application's source code. Hence SSL/TLS will be used for transport layer security if the hardcoded URL is HTTPS. – Shiv Sahni Sep 24 '17 at 08:18
  • That's only partially true; if it's webview-based, there are urls coming in from retrieved markup. Additionally, mobile applications do not have to be native. – Tobi Nary Sep 24 '17 at 08:23
  • @SmokeDispenser What about Native applications, which headers among aforementioned should be recommended for native applications. – Shiv Sahni Sep 24 '17 at 08:40

0 Answers0