We had a PEN test done on one of our web applications and an issue that was raised was that the application did not return any security headers when supplying a page to the browser. Some examples that they recommended are:
If you finally reach a dead end solving this using the framework (this happens all the time with any kind of web framework), you can add, edit or remove the headers directly from the web server (Apache / Nginx).
It would be the least we can ask to be able to set headers. I cant’t find the way to do this from Session. Maybe @Greg_O_Lone can tell us how we can do this?