So, I have a client-rendered React SPA deployed inside an S3 bucket, communicating with a Java backend API.
I want to enable the security headers on the frontend-side, but I am a bit confused and I am not sure it’s something that’s possible. I am talking specifically about Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Content-Security-Policy. While I was able to define the CSP in the in a meta tag in the HTML, not sure how to proceed with the others. Spring Security did the job in the backend.
One option would probably be to set these at CDN-level, but I want to explore other options.
Any ideas? Is this possible?