The following are some HTTP Response Headers that mitigate certain vulnerabilities.

The sections below specify how to configure these response headers in the httpd.conf file of the web server.

i. X-Frame-Options

Header always append X-Frame-Options SAMEORIGIN

ii. Content-Security-Policy

Header set Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; 
object-src 'none'; frame-src 'none'; font-src 'self' https://fonts.gstatic.com; connect-src 'self' 
http://<OAM Server>:<OAM Port>/; child-src 'self'"

Please note that the policy mentioned here is for the base product. If the product gets customized and content from different URLs needs to be allowed to be executed by the browser, then this policy will have to be modified accordingly.

iii. X-XSS-Protection

Header set X-XSS-Protection “1; mode=block”

iv. Strict-Transport-Security

Set this for your top level domain. The header directive needs to be included inside the VirtualHost directive

<VirtualHost *:443>
Header always set Strict-Transport-Security 
“max-age=31540000; includeSubDomains” </VirtualHost>

Consider submitting your website to be included in the HSTS preload list of websites maintained by Google Chrome at https://hstspreload.appspot.com/. Other browsers like MS IE 11, MS Edge, Firefox and Opera also refer to this list maintained by Google and therefore the security offered by this mechanism will extend to other browsers too.

v. Cache-Control

Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate
"Header set Pragma "no-cache" 
Header set Expires 0