Application security options (Security options)

X-Frame-Options

• RFC 7034: HTTP Header Field X-Frame-Options
• X-Frame-Options, MDN webdocs

X-Content-Type-Options

• Blog 'IE8 Security Part VI: Beta 2 Update'
• X-Content-Type-Options, MDN webdocs

X-XSS-Protection (deprecated)

• X-XSS-Protection test removed

Content-Security-Policy (CSP):

• Content Security Policy Level 3, W3C Working Draft (In conformance with CSP3 we consider frame-src not as deprecated.)
• Content Security Policy Level 2, W3C Recommendation
• MDN webdocs on Content-Security-Policy
• Mozilla's Laboratory (Content Security Policy / CSP Toolkit)

Referrer-Policy

• Referrer Policy, W3C
• Referrer-Policy, MDN webdocs