Security headers

Security headers are a handful of HTTP response headers — Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy — that instruct the browser to enforce protections against XSS, clickjacking, MIME-sniffing, and information leakage. They cost nothing to add and an assessor checks them first because they are a quick read on how seriously a team takes web hygiene.