Controls browser and intermediary caching behavior for responses.

Instructs the browser to clear site data like cookies, storage, and cache (useful for logout or account changes).

Controls which cross-origin resources can be loaded by requiring CORP/CORS compliance (often used for cross-origin isolation).

CSP reduces XSS risk by controlling which sources can load scripts, styles, images, and more.

Controls whether your top-level page shares a browsing context group with cross-origin documents (security/isolation).

Allows a resource to declare whether it can be requested from other origins (helps COEP / prevents leaks).

CORS controls which origins can read responses from your server when browsers make cross-origin requests.

Enables conditional requests to reduce bandwidth by reusing cached content when unchanged.

Legacy caching header that sets an absolute expiration date/time for content.

HSTS forces browsers to use HTTPS for your domain, preventing downgrade attacks and reducing SSL-stripping risk.

Restricts access to powerful browser features (camera, mic, geolocation, etc.) across your site.

Controls how much referrer information is sent when navigating away from your site.

Reporting headers help browsers send structured reports for network errors and policy violations (useful for diagnostics and security monitoring).

Server and X-Powered-By headers can reveal stack details; reducing exposure can be beneficial.

Prevents MIME-sniffing by forcing the browser to respect the declared Content-Type.

Controls whether the browser may prefetch DNS for links on the page (performance/privacy tradeoff).

Helps protect against clickjacking by controlling whether your site can be embedded in an iframe.

Legacy header for old browser XSS filters. Modern browsers ignore it; CSP is the modern defense.