Response Header
Security information in the response header.
Header Name Description Setting Example Setting Explanation
X-Frame-Options Set up a domain where Iframes can be loaded.
Specify this header to prevent clickjacking.
X-Frame-Options: SAMEORIGIN DENY: Block iframes on the same domain
SAMEORIGIN:同Allow iframes on the same domain
ALLOW-FROM origin_uri:Allow iframes on specific domains
X-XSS-Protection Enable or disable XSS protection. X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
0:Disable XSS filter
1:Enable XSS filter
Strict-Transport-Security Force requests for the same domain from browsers to HTTPS Strict-Transport-Security: max-age=86400 max-age: Enables the specified time setting.
includeSubDomains: Enable the setting to subdomains.

The Strict-Transport-Security setting in the http response header will be ignored. This is because http communication is susceptible to tampering.
If there are no certificate errors or any other problems with communication over https, the browser will force access over https according to the Strict-Transport-Security specification, if any.
X-Content-Type-Options Set IE to not perform file type guessing.
It can prevent XSS from occurring by recognizing a file that is not html as html.
X-Content-Type-Options: nosniff Do not use guesswork to determine file types
X-Download-Options You can configure settings such as not allowing downloaded files to be opened directly X-Download-Options: noopen You will only be able to save it locally
Content-Security-Policy It will only get scripts and css from specific trusted locations. Content-Security-Policy: default-src 'self' default-src 'self':同Allow loading of resources from the same domain
default-src 'self' *.xxxx.com:Allow loading of resources from the same domain and subdomains of a specific domain
Set-Cookie It is used to make the browser store cookies. Set-Cookie: name=value; secure; HttpOnly path=/; domain=xxx.xxxx.co.jp; samesite=Lax secure: Sets a cookie to be sent only when HTTPS communication is used.
HttpOnly: Set a cookie that cannot be accessed by JavaScript.
path: Specifies the path to send cookies.
domain: Set the domain to which you want to send cookies with backward matching.
samesite: You can set the conditions under which cookies are sent. In brief, you can set None: none, Lax: low, and strict: high.
Cache-Control Used to control the browser cache Cache-Control: no-cache, no-store, must-revalidate no-cache: Cache servers are not saved.
must-revalidate: Check if the cache file is up to date.