Security Headers are HTTP response headers that direct the browser’s behavior to enhance a website’s security to prevent malicious attackers from manipulating browser’s behavior. Security Headers allow you to be specific about your intentions for content served from your website.
Different kinds of Security Headers and their uses:
It is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
Recommended value "max-age=2592000; includeSubDomains;"
It tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
Recommended value "X-Frame-Options: SAMEORIGIN".
It sets the configuration for the cross-site scripting filter built into most browsers.
Recommended value “X-XSS-Protection: 1; mode=block”.
It stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff”.
It instruct the browser not to open a download directly in the browser, but instead to provide only the ‘Save’ option.
Recommended value “ X-Download-Options: noopen”
It restricts Adobe Flash player’s access to data.
Recommended value “X-Permitted-Cross-Domain-Policies: master-only”
It is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Recommended values: "Content-Security-Policy: default-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"
It protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
Now, to check the security headers of your website. I wrote a python tool which lists down all the security headers of a website.