About HTTP Security Headers
HTTP response headers are the first line of defense for any web application. They provide a mechanism for the server to instruct the browser on how to behave when handling the site's content. A properly configured set of headers can prevent entire classes of vulnerabilities, including Cross-Site Scripting (XSS), Clickjacking, and Protocol Downgrade attacks.
Hardening Your Server
Server hardening begins with "Safe by Default" headers. HSTS (Strict-Transport-Security) ensures that browsers only ever connect to your site over HTTPS. X-Content-Type-Options: nosniff prevents browsers from trying to guess the content type.
Defense in Depth
A Content Security Policy (CSP) is perhaps the most powerful header available. It allows you to whitelist specific domains from which resources can be loaded, providing a vital layer of defense in depth even if other vulnerabilities exist.