HTTP headers you should know to keep your website secure.

1. X-POWERED-BY

This HTTP header is set by the hosting environment or other framework and contains information about them.
e.g. If you are using Express js then it shows that a particular response is returned by the express server.
Such information helps hackers/ attackers by providing server/ any hosting framework-related data.
To avoid such a scenario it is important to disable this header in the response header or you can pass the misleading information.

2. X-FRAME-OPTIONS

This response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed>, <object>.
You can use this header to avoid clickjacking attacks by setting the X-FRAME-OPTIONS to DENY.
Clickjacking: Clickjacking is a technique used for tricking users into interacting with a page different than what the user thinks.
This can be obtained by executing your page in a malicious context, by means of iframing. In that context, hackers can put a hidden layer over your webpage. The hidden button can be used to execute bad scripts.

3. X-XSS-PROTECTION

Cross-Site Scripting XSS is a security exploit that allows an attacker to inject into a website malicious client-side code.
This response header is a feature that stops pages from loading when they detect reflected cross-site scripting XSS attacks.

4. X-CONTENT-TYPE-OPTIONS

Browsers can use context or MIME TYPE sniffing to override response Content-Type headers to guess and process the data using an implicit content type.
This HTTP response header is a marker used by the server to indicate that the MIME TYPE advertised in the Content-Type headers should not be changed and be followed.

5. X-DOWNLOAD-OPTIONS

Some web application serves untrusted HTML for download. Some versions of IE by default open those HTML files in the context of your site.
It indicates the browser (IE) should not display the options to open a file that has been downloaded from an application, to prevent phishing attacks.

6. STRICT-TRANSPORT-SECURITY

HTTP Strict Transport Security (HSTS) is a web security policy that helps to protect websites against protocol downgrade attacks and cookie jacking.
It tells the browser that it should only be accessed using HTTPS instead of HTTP.

7. CONTENT-SECURITY-POLICY

By Setting and configure Content Security Policy (CSP) you can prevent the injection of anything unintended into your page.
This will protect your app from XSS vulnerabilities, undesired tracking, malicious frames, and much more.
CSP works by defining an allowed list of content sources that are trusted.

If you are using Express JS in your stack then you can use the helmet npm package to secure your app.
The basic usage of helmet is as below.

1. Install helmet in your app by using npm install helmet.
2. Import helmet as below.

const helmet = require("helmet");
....
app.use(helmet());
.
.

1. Please refer official documents of the helmet package for more details. npmjs.com/package/helmet .