web:http:security

About

In HTTP, the security is done via the setting of:

response header known as security header that drives the execution of the browser page load
cookies properties mostly samesite that control if the cookies should be sent back by the browser.

response HTTP header that control the browser and have an effect on security:

Content-Security-Policy (CSP): to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context
X-Frame-Options: No frame to avoid clickjacking

X-Frame-Options: SAMEORIGIN

Strict-Transport-Security: HTTP - Strict Transport Security (HSTS) - mandatory HTTPS: uses only https
X-Content-Type-Options: Stops the browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type

X-Content-Type-Options: nosniff

X-XSS-Protection header. Using the default behavior, the browser will prevent rendering of the page when a Cross-site scripting (XSS) attack is detected, ¹⁾

X-XSS-Protection: 1; mode=block

X-Robots-Tag: none

Referrer-Policy: HTTP - Referrer-Policy Header (to not leak private url)
Permissions-Policy: This header allows you to control which features and APIs can be used in the browser. It was previously named Feature-Policy. You can view the full list of permission options here.

Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()

CORS headers controls the execution of cross-request created by javascript in the browser (ie embedded in a page)

The samesite and cookie scope controls where the browser sends the cookie back (in a cross origin context or not)

¹⁾

²⁾