HTTP Headers

• HTTP Strict-Transport-Security (HSTS)
  • Strict-Transport-Security: max-age: 31536000; includeSubDomains; preload
  • chrome://net-internals/#hsts
• Referrer-Policy
  • no-referrer, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
• X-Content-Options
  • X-Content-Options: nosniff
• Feature-Policy
  • Feature-Policy: geolocation 'none'; camera 'none'; microphone 'none';
• X-Frame-Options or Content-Security-Policy: frame-ancestors 'none'
  • deny, sameorigin, allow-from URI
• Handling any X-xxx headers potentially unsafe, eg X-Forwarded-For, X-Forwarded-IP, Client-IP, X-Client-IP, etc