Security headers checklist
- Strict-Transport-Security (HSTS) — forces HTTPS, prevents downgrade attacks
- Content-Security-Policy (CSP) — limits resource sources, prevents XSS
- X-Frame-Options — prevents clickjacking by controlling iframe embedding
- X-Content-Type-Options: nosniff — prevents MIME type sniffing
- Referrer-Policy — controls how much referrer info is sent
- Permissions-Policy — limits browser feature access
Cache headers
- Cache-Control: max-age — seconds the response is fresh
- Cache-Control: public/private — can be cached by CDN/intermediaries or only by browser
- Cache-Control: no-store — never cache (sensitive data)
- ETag / Last-Modified — used for conditional revalidation