These headers help protect your site against a range of threats such as XSS, clickjacking, downgrade attacks, and other vulnerabilities related to web security. ## <br>1. Strict-Transport-Security (HSTS) - **Description**: Forces the browser to use HTTPS connections instead of HTTP, preventing protocol downgrade attacks (when an attacker forces communication to be via HTTP). ```bash Strict-Transport-Security: max-age=31536000; includeSubDomains ``` - `max-age=31536000`: Sets the duration (in seconds) during which the browser should remember to use HTTPS. - `includeSubDomains`: Applies HSTS to all subdomains as well. ## <br>2. Content-Security-Policy (CSP) - **Description**: Limits the resources that can be loaded on the page (such as scripts, styles, images), protecting against Cross-Site Scripting (XSS) attacks. ```bash Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-scripts.com ``` - `default-src 'self'`: Restricts the loading of resources only from the same domain. - `script-src 'self' https://trusted-scripts.com`: Allows scripts to be loaded only from the site itself and from trusted sources. ## <br>3. X-Content-Type-Options - **Description**: Prevents browsers from interpreting files as a different MIME type than the one declared. This prevents attacks such as MIME-sniffing. ```bash X-Content-Type-Options: nosniff ``` ## <br>4. X-Frame-Options - **Description**: Prevents your page from being loaded inside an iframe on other sites, protecting against clickjacking attacks. ```bash X-Frame-Options: SAMEORIGIN ``` - `SAMEORIGIN`: Allows the page to be embedded only if it is from the same domain. - `Alternatively`: `DENY` to completely block the use of iframes. ## <br>5. X-XSS-Protection - **Description**: Activates the XSS protection filter in the browser. ```bash X-XSS-Protection: 1; mode=block ``` - `1`: Activates the filter. - `mode=block`: Prevents the page from rendering if an XSS attack is detected. ## <br>6. Referrer-Policy - **Description**: Controls the amount of information the browser sends in the referrer URL when following links to other sites, protecting the user's privacy. ```bash Referrer-Policy: no-referrer-when-downgrade ``` - `no-referrer-when-downgrade`: Sends referrer information only to HTTPS sites, never to HTTP. ## <br>7. Permissions-Policy - **Description**: Limits which browser APIs and functionalities can be used on the page (such as camera, geolocation, microphone). ```bash Permissions-Policy: geolocation=(), microphone=(), camera=() ``` - The example above blocks the use of geolocation, microphone and camera. ## <br>8. Expect-CT - **Description**: Requires browsers to check that the site's SSL certificates comply with Certificate Transparency policies. ```bash Expect-CT: enforce, max-age=86400 ``` ## <br>9. Cross-Origin-Resource-Policy (CORP) - **Description**: Controls how site content can be requested by other sites, helping to protect against Cross-Origin Resource Sharing (CORS) attacks. ```bash Cross-Origin-Resource-Policy: same-origin ``` See which ones would best suit your application and test using one of the ones listed above.