[ShaneWilton]

Most of the suggestions in this post are great, but as always, especially when security is involved, you need to assess your business needs yourself.

The suggestion to use Content-Security-Policy over X-Frame-Options is great -- if you don't expect many of your users to be using IE-based browsers. If you're primarily serving large enterprises or government customers though, it's likely that most of your users will still be coming from a browser that doesn't support Content-Security-Policy.

[Ajedi32]

But interestingly, they deem `x-ua-compatible` "useful" even though AFAIK that's also only needed for backwards compatibility with IE.

[AbacusAvenger]

Not to mention that Content-Security-Policy can be costly to set up and maintain properly. My servers send both X-Frame-Options and Content-Security-Policy, but I do keep running into cases where my CSP was too restrictive and have to keep fiddling with it.

[merb]

same with Expires, if you serve really really old clients you might still need it.