Here is a list of usefull HTTP headers for responses you should know about:
- X-Content-Type-Options
When set to „nosniff„, this header will prevent browsers from MIME-sniffing a response away from the declared content-type. While this header is more relevant for „normal“ web applications (it protects against some types of drive-by-downloads), it does not hurt to add it to your REST service, if
See http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
X-Content-Type-Options: nosniff
- X-Frame-Options
Provides Clickjacking protection. Allowed values are:
- deny no rendering within a frame
- sameorigin no rendering if origin mismatch
- allow-from: <DOMAIN> allow rendering if framed by frame loaded from DOMAIN
X-Frame-Options: deny
- X-XSS-Protection
Re-enables cross side scripting protection in IE and Chrome if user has disabled it.
X-XSS-Protection: 1; mode=block
- Strict-Transport-Security
Enables HTTP Strict Transport Security (HSTS). This prevents browsers from using an insecure connection to a server for a given time (in seconds). Additionally, you can include all subdomains:
Strict-Transport-Security: max-age=16070400; includeSubDomains