Application security options (Security options)

X-Frame-Options

• RFC 7034: HTTP Header Field X-Frame-Options
• X-Frame-Options, MDN webdocs

X-Content-Type-Options

• Blog 'IE8 Security Part VI: Beta 2 Update'
• X-Content-Type-Options, MDN webdocs

X-XSS-Protection (deprecated)

• Test removed from Internet.nl

Content-Security-Policy (CSP):

• Content Security Policy Level 3, W3C Working Draft (In conformance with CSP3 we consider frame-src not as deprecated.)
• Content Security Policy Level 2, W3C Recommendation
• MDN webdocs on Content-Security-Policy
• Mozilla's Laboratory (Content Security Policy / CSP Toolkit)

Referrer-Policy

• Referrer Policy, W3C Candidate Recommendation, 26 January 2017
• Referrer Policy, Editor’s Draft
• Referrer-Policy, MDN webdocs