HTTP headers to secure your app for the busy web developer
- Set an X-Frame-Options header to prevent someone from creating an iframe wrapper around your site to clickjack your site. Your safety options are DENY, SAMEORIGIN, and ALLOW-FROM.
- You can set X-XSS-Protection to block Reflected XSS (cross-site scripting) attacks.
- Apply Strict Transport Security to refuse to connect as HTTP, enforcing HTTPS instead.
Full post here, 4 mins read