Security Headers

Enforce HSTS and CSP and other security headers on all responses.

Requirements Coverage

REQ-HDR-001

Enforce HSTS header on responses

REQ-HDR-002

Enforce Content Security Policy header

REQ-HDR-003

Enforce X-Content-Type-Options: nosniff

REQ-HDR-004

Enforce X-Frame-Options header

Test Examples

HDR-001BLOCKED

Security headers enforced on response

Sample Request

# All responses from Keycloak are enriched with security headers:
# Strict-Transport-Security: max-age=31536000; includeSubDomains
# Content-Security-Policy: default-src 'self'
# X-Content-Type-Options: nosniff
# X-Frame-Options: DENY

Expected Response

HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY