response HTTP header that control the browser and have an effect on security:
Content-Security-Policy (CSP): to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context
-
X-Frame-Options: SAMEORIGIN
-
X-Content-Type-Options: Stops the browser from trying to MIME-sniff the content type and forces it to stick with the declared
content-type
X-Content-Type-Options: nosniff
X-XSS-Protection header. Using the default behavior, the browser will prevent rendering of the page when a
Cross-site scripting (XSS) attack is detected,
1)
X-XSS-Protection: 1; mode=block
X-Robots-Tag header. Stops search engine to index the pages.
2)
X-Robots-Tag: none
-
Permissions-Policy: This header allows you to control which features and APIs can be used in the browser. It was previously named Feature-Policy. You can view the full list of permission options
here.
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()