Set security headers
Set common security headers such as X-XSS-Protection, X-Frame-Options, and X-Content-Type-Options.
- Content-Security-Policy headers: Enabling these headers will permit content from a trusted domain and all its subdomains. Refer to Content-Security-Policy ↗ for details.
- Strict-Transport-Security headers: These are not automatically set because your website might get added to Chrome's HSTS preload list.
- Permissions-Policy header: Allow or deny the use of browser features, such as opting out of FLoC.
- X-XSS-Protection header: Prevents a page from loading if an XSS attack is detected. Refer to X-XSS-Protection ↗ for details.
- X-Frame-Options header: Prevents click-jacking attacks. Refer to X-Frame-Options ↗.