Techniques to facilitate automatic insertion of security policies for web applications are disclosed herein. In at least one implementation, security configuration information for a web application is received. A web request for a web resource is received and processed to determine an HTTP security header for insertion into a web response to the web request based on properties of the web request. The web response is intercepted and the HTTP security header is inserted into the web response to generate a modified web response. The web response is processed to determine a security enhancement to apply to the web resource based on the security configuration information. The security enhancement is applied to the web resource to generate a modified web resource. The modified web response and the modified web resource are provided to a client application in response to the web request for the web resource.