If not, use the security headers provided by your application server.
Dont send verbose error messages to users. Instead of sending an error message with stack traces and other information about the system, consider sending a generic something went wrong message instead. This will prevent attackers from gathering information about how your application works under the hood and fingerprinting your technology stack (e.g., Ruby on Rails).
Use HTTP security headers such as Content-Security-Policy and Access-Control-Allow-Origin to secure your API implementation against common attacks like XSS or CORS misconfiguration attacks
https://t.co/xcEhYTlS3J