[mike-cardwell]

Your Strict-Transport-Security definition is missing the "includeSubDomains" flag. STS is a lot more effective if you use that flag.

You should discuss how X-Frame-Options prevents sites legitimately loading your pages inside frames too. I believe Reddit does this amongst others in order to displays a small control panel at the top of the page. X-Frame-Options is appropriate for many sites, but perhaps not for blogs.

You should talk about how CSP prevents most bookmarklets from working. For example readability and instapaper. I really like CSP, but people should be made aware of this.

[mdirolf]

Yeah, I decided not to get into all of the options of each header. Partially because I was writing from a plane without wifi and partially because the response I was hoping for was "these things exist - I'll go read the docs on them".

That said, your points about X-Frame-Options and CSP are definitely important for usability. Maybe I'll update the post w/ some of those details.