Security Headers

List

• Cross-Origin-Embedder-Policy (COEP) header
• Cross-Origin-Opener-Policy (COOP) header
• Cross-Origin-Resource-Policy (CORP) header
• Content-Security-Policy (CSP) header
• Content-Security-Policy-Report-Only (CSPRO) header
• Expect-CT (experiemental) - lets sites opt in to reporting and enforcement of Certificate Transparency to detect use of misussed certificate for that site.
• Permissions-Policy header
• Reporting-Endpoints (experiemental) - response header that allows website owners to specify one or more endpoints used to receive errors such as CSP violation reports, Cross-Origin-Opener-Policy (COOP) reports, or other generic violations
• Strict-Transport-Security (HSTS) header
• Upgrade-Insecure-Requests header
• X-Content-Type-Options header
• X-Frame-Options (XFO) header
• X-Permitted-Cross-Domain-Policies header
• X-Powered-By header
• X-XSS-Protection (non-standard) - was a feature of Internet Explorer, Chrome and Safari that stopped pages from loading when they detected reflected cross-site scripting (XSS) attacks.

Links

• HTTP headers

References