Security options

HTTP security headers

X-Frame-Options

• "7.6 The X-Frame-Options header" in HTML Living Standard
• RFC 7034: HTTP Header Field X-Frame-Options
• X-Frame-Options, MDN webdocs

X-Content-Type-Options

• Blog 'IE8 Security Part VI: Beta 2 Update'
• X-Content-Type-Options, MDN webdocs

X-XSS-Protection (deprecated)

• X-XSS-Protection test removed from Internet.nl

Content-Security-Policy (CSP)

• Content Security Policy Level 3, W3C Working Draft (In conformance with CSP3 we consider frame-src not as deprecated.)
• Content Security Policy Level 2, W3C Recommendation
• Content-Security-Policy, MDN webdocs
• Mozilla's Laboratory (Content Security Policy / CSP Toolkit)

Referrer-Policy

• Referrer Policy, W3C Candidate Recommendation, 26 January 2017
• Referrer Policy, Editor’s Draft
• Referrer-Policy, MDN webdocs

Other security options

security.txt

• RFC 9116: A File Format to Aid in Security Vulnerability Disclosure
• Common Security Advisory Framework Version 2.0, "7.1.8 Requirement 8: security.txt"
• IANA registry for security.txt fields
• Securitytxt.org
• "Wat is security.txt?" (in Dutch) by Digital Trust Center
• "Handreiking security.txt" (in Dutch) by NCSC-NL