HTTP Headers
- HTTP Strict-Transport-Security (HSTS)
- Strict-Transport-Security: max-age: 31536000; includeSubDomains; preload
- chrome://net-internals/#hsts
- Referrer-Policy
- no-referrer, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
- X-Content-Options
- X-Content-Options: nosniff
- Feature-Policy
- Feature-Policy: geolocation 'none'; camera 'none'; microphone 'none';
- X-Frame-Options or Content-Security-Policy: frame-ancestors 'none'
- deny, sameorigin, allow-from URI
- Handling any X-xxx headers potentially unsafe, eg X-Forwarded-For, X-Forwarded-IP, Client-IP, X-Client-IP, etc