Header always set X-FRAME-OPTIONS "DENY" Header always set X-XSS-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff"