Four additional HTTP headers are set for the web servers of the websites:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload- Only allows pages to be accessed via HTTPS.X-Frame-Options: SAMEORIGIN- Prevents pages from being embedded on external websites, e.g. via iFrame, in order to prevent misuse.X-Content-Type-Options: nosniff- Protection against MIME confusion attacks and unauthorized hotlinking.Referrer-Policy: strict-origin-when-cross-origin- The complete URL is passed on as referrer information if the requested website or resource is of the same origin; otherwise, only the origin (e.g., https://example.org) is set. If the requested website is not accessed via HTTPS, no referrer information is passed on.