- Prevent site from being rendered in iframe
X-Frame-Options: DENY
- Stop page from loading if XSS is detected
X-XSS-Protection: 1; mode=block
- Don't set referrer header
Referrer-Policy: no-referrer
- Prevent MIME type sniffing (ie don't execute JS code in a .png)
X-Content-Type-Options: nosniff
- Force HTTPS
Strict-Transport-Security: max-age=15780000; includeSubDomains; preload
- Disable browser features
Feature-Policy: geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'none'; payment 'none'
- Disable external scripts
Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline'
- CSP validator tool https://securityheaders.com