- Content-Security-Policy (CSP): to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context
- Strict-Transport-Security: HTTP - Strict Transport Security (HSTS) - mandatory HTTPS: uses only https
- X-Content-Type-Options: Stops the browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type
X-XSS-Protection: 1; mode=block
- X-Robots-Tag header. Stops search engine to index the pages. 2)
- Referrer-Policy: HTTP - Referrer-Policy Header (to not leak private url)
- Permissions-Policy: This header allows you to control which features and APIs can be used in the browser. It was previously named Feature-Policy. You can view the full list of permission options here.
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()