· X-Content-Type-Options – add this header if it doesn’t exist and set it to “nosniff” – prevents the browser from automatically “MIME-Sniffing”.
· X-Frame-Options – add this header if it doesn’t exist and set it to “SAMEORIGIN” – pages on your website can be included in Frames, but only on other pages within the same website.
· X-XSS-Protection – add this header if it doesn’t exist and set it to “1; mode=block” – enable browser cross-site scripting protections
· Strict-Transport-Security – add header if it doesn’t exist and set it to “max-age=31536000 ; includeSubdomains” – ensures client should honor that all links should be HTTPs:// for the max-age