diff --git a/pkg/server/config_handlers_test.go b/pkg/server/config_handlers_test.go
index 7d14412a..3213bd5c 100644
--- a/pkg/server/config_handlers_test.go
+++ b/pkg/server/config_handlers_test.go
@@ -302,6 +302,7 @@ func TestServerConfigGlobalPostValid(t *testing.T) {
 	require.JSONEq(bodyExpected, bodyActual)
 
 	require.Equal(http.StatusCreated, code)
+	require.Equal(len(expectedJSONHeaders()), len(headers))
 	require.Equal(expectedJSONHeaders(), headers)
 }
 
diff --git a/pkg/server/export_handlers_test.go b/pkg/server/export_handlers_test.go
index 0eb1faa7..789fd684 100644
--- a/pkg/server/export_handlers_test.go
+++ b/pkg/server/export_handlers_test.go
@@ -70,6 +70,9 @@ func TestServerPostExport(t *testing.T) {
 			MIMEApplicationZIP,
 		},
 		"Content-Security-Policy": []string{"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' ws: wss:;"},
+		"X-Xss-Protection":        []string{"1; mode=block"},
+		"X-Content-Type-Options":  []string{"nosniff"},
+		"X-Frame-Options":         []string{"SAMEORIGIN"},
 		// echo.HeaderContentDisposition: []string{
 		// 	`attachment; filename="report.zip"`,
 		// },
@@ -222,6 +225,9 @@ func TestServerPostExportInvalidRequest(t *testing.T) {
 				echo.MIMEApplicationJSONCharsetUTF8,
 			},
 			"Content-Security-Policy": []string{"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' ws: wss:;"},
+			"X-Xss-Protection":        []string{"1; mode=block"},
+			"X-Content-Type-Options":  []string{"nosniff"},
+			"X-Frame-Options":         []string{"SAMEORIGIN"},
 		}, headers, body.String())
 	}
 }
diff --git a/pkg/server/server_common_test.go b/pkg/server/server_common_test.go
index 053353fc..86315a8a 100644
--- a/pkg/server/server_common_test.go
+++ b/pkg/server/server_common_test.go
@@ -13,9 +13,12 @@ import (
 
 func expectedJSONHeaders() http.Header {
 	return http.Header{
-		"Vary":                    []string{"Accept-Encoding"},
-		"Content-Type":            []string{"application/json; charset=UTF-8"},
 		"Content-Security-Policy": []string{"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' ws: wss:;"},
+		"X-Xss-Protection":        []string{"1; mode=block"},
+		"X-Content-Type-Options":  []string{"nosniff"},
+		"X-Frame-Options":         []string{"SAMEORIGIN"},
+		"Content-Type":            []string{"application/json; charset=UTF-8"},
+		"Vary":                    []string{"Accept-Encoding"},
 	}
 }
 
diff --git a/pkg/server/server_test.go b/pkg/server/server_test.go
index 653ed23a..b955a0a4 100644
--- a/pkg/server/server_test.go
+++ b/pkg/server/server_test.go
@@ -71,7 +71,7 @@ func TestServerConformanceSuiteCallback(t *testing.T) {
 
 	// do assertions.
 	require.Equal(http.StatusOK, code)
-	require.Len(headers, 6)
+	require.Len(headers, 9)
 	require.Equal("text/html; charset=utf-8", headers["Content-Type"][0])
 	require.NotNil(body)
 
diff --git a/pkg/server/swagger_handlers_test.go b/pkg/server/swagger_handlers_test.go
index 5b4673e9..4e257e84 100644
--- a/pkg/server/swagger_handlers_test.go
+++ b/pkg/server/swagger_handlers_test.go
@@ -51,7 +51,7 @@ func TestServerSwaggerHandlersServesUI(t *testing.T) {
 			require.Equal(bodyExpected, bodyActual)
 
 			require.Equal(http.StatusOK, code)
-			require.Len(headers, 3)
+			require.Len(headers, 6)
 			require.Equal("text/html; charset=utf-8", headers["Content-Type"][0])
 		})
 	}