All Docs
FeaturesMaking Tax DigitalUpdated February 24, 2026

Securing HMRC MTD Connections: HTTP Security Headers in v1.0.40

Securing HMRC MTD Connections: HTTP Security Headers in v1.0.40

Version 1.0.40 closes a significant security gap: the application now ships with a full set of HTTP response security headers. This is a critical hardening step for any application that handles HMRC Making Tax Digital (MTD) API submissions and processes sensitive data such as National Insurance Numbers.

Why Security Headers Matter for MTD Applications

Applications connected to HMRC's MTD API operate under heightened security expectations. HMRC requires that connected software demonstrates an appropriate security posture — and HTTP response headers are one of the most direct and effective controls available at the web layer.

Without these headers, users of a financial application face concrete risks:

  • XSS (Cross-Site Scripting): A missing Content-Security-Policy leaves the browser with no instruction on which scripts, styles, and resources are legitimate. Malicious injected scripts could exfiltrate National Insurance Numbers or tamper with HMRC submission data.
  • Clickjacking: Without X-Frame-Options, the application can be embedded silently inside an <iframe> on a third-party page. An attacker could trick a landlord into unknowingly authorising a fraudulent HMRC submission.
  • Downgrade attacks: Without HSTS, a browser may accept an unencrypted HTTP connection, exposing session tokens and tax data in transit.
  • MIME sniffing: Without X-Content-Type-Options: nosniff, browsers may misinterpret file types, creating vectors for content injection.
  • Referrer leakage: Without a Referrer-Policy, sensitive URL paths (including those containing NI Numbers or submission IDs) can leak to third-party servers via the Referer header.

What Changed

A headers() export has been added to next.config.ts. This function returns security headers that are applied to every response served by the Next.js application.

Headers Configured

Content-Security-Policy (CSP)

Defines which origins are permitted to load scripts, styles, images, fonts, and other resources. Blocks inline script execution from untrusted origins, directly reducing XSS risk on pages that handle HMRC credentials and National Insurance Numbers.

Strict-Transport-Security (HSTS)

Instructs browsers to always connect over HTTPS and to refuse HTTP connections for a defined period. Protects landlords on untrusted networks (e.g. public Wi-Fi) from downgrade and man-in-the-middle attacks during tax submission flows.

X-Frame-Options: DENY

Prevents the application from being embedded in any <iframe> or <frame>. This directly addresses the clickjacking risk on HMRC submission and authorisation pages, where a spoofed overlay could manipulate a landlord's actions.

X-Content-Type-Options: nosniff

Instructs the browser to respect the declared Content-Type of every response and never attempt to infer a different type. Prevents content-sniffing attacks that could allow a malicious upload to be executed as a script.

Referrer-Policy: strict-origin-when-cross-origin

Limits the information sent in the Referer header on cross-origin requests to the bare origin (scheme + host), with no path or query string. This prevents submission IDs, National Insurance Numbers, or other sensitive identifiers that may appear in URLs from leaking to external services (analytics, CDNs, third-party APIs).

Permissions-Policy

Restricts which browser APIs (camera, microphone, geolocation, payment, etc.) the application and any embedded third-party content may access. Enforces the principle of least privilege at the browser level.

Scope

All headers are applied globally via next.config.ts and take effect on every route served by the application — including API routes, the HMRC OAuth callback, and all landlord-facing pages.

HMRC MTD Security Posture

HMRC's MTD programme expects connected software to protect taxpayer data appropriately. These headers directly support that requirement by:

  1. Preventing unauthorised scripts from accessing HMRC OAuth tokens or submission payloads.
  2. Blocking UI-level manipulation of HMRC authorisation and submission flows.
  3. Enforcing encrypted transport for all data in transit.
  4. Limiting the exposure of sensitive identifiers through browser referrer behaviour.

File Reference

  • next.config.ts — contains the headers() export with all six security headers.