Max Veytsman post touches security consideration when working with HTTP headers. The article explains what secure headers are and how to implement these headers in Rails, Django, Express.js, Go, Nginx, and Apache.
Author explains that some headers may be best configured in on your HTTP servers, while others should be set on the application layer. Use your own discretion here. You can test how well you’re doing with Mozilla’s Observatory.
Detailed description with explanation when to use it include topics like:
- X-XSS-Protection
- Content Security Policy
- HTTP Strict Transport Security
- HTTP Public Key Pinning (HPKP)
- X-Frame-Options
- and more…