Security Headers
A complete, copy-paste security header set (and what each one does)
A practical reference: the security headers worth setting, sane values for each, and exactly what every line buys you. Copy it, adjust the CSP, ship it.
Tag
#hsts
Security Headers
HSTS explained: why HTTPS alone is not enough
You have HTTPS — but the first plain-HTTP request is still a weak point. HSTS closes it by telling the browser to never speak HTTP to your site again.
Security Headers
What is a security header, and which ones actually matter?
Security headers are short instructions your server sends with every page, telling the browser to switch on protections. Most sites are missing several. Here is the shortlist.