This header enables the Cross-site scripting (XSS) filter built into most recent web browsers:
add_header X-XSS-Protection "1; mode=block";
This header doesn’t allow the browser to render the page inside a frame or iframe:
add_header X-Frame-Options "deny";
This header disabled content-type sniffing on most browsers:
add_header X-Content-Type-Options "nosniff";