What is the best practice of adding security headers to a response

we want to add the following security headers to each response. What is the best way to do that

  • Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
  • X-XSS-Protection “1; mode=block”;
  • X-frame-options “SAMEORIGIN”;
  • X-Content-Type-Options “nosniff”;

I can create a response filter but not sure this is the correct way

If they’re static I would add them to the GlobalResponseHeaders, e.g:

SetConfig(new HostConfig {
    GlobalResponseHeaders =
        ["Strict-Transport-Security"] = "...",
        ["X-XSS-Protection"] = "...",
        ["X-frame-options"] = "...",
        ["X-Content-Type-Options"] = "...",

If they need to be dynamically applied, e.g. conditionally per request I’d add them in a Global Response Filter.

Thx just what i was looking for!