Strict HTTP headers
Test out the headers on your website by running curl -I lyngvaer.no, hopefully, you'll get output that looks like this;
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 04 May 2016 01:38:48 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1337
Last-Modified: Wed, 13 Apr 2016 14:22:09 GMT
Connection: keep-alive
ETag: "570e5611-307"
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes
Specifically, the ones we're looking at are; X-Frame-Options, X-Xss-Protection X-Content-Type-Options, and Strict-Transport-Security.
X-Frame-Options
This field tells the browser from where it can load <frame>, <iframe>, and <object> from.
The possible values are;
DENY
Disallow all <frame>, <iframe>, and <object> objects.
SAMEORIGIN
Disallow all <frame>, <iframe>, and <object> objects, except from current host.
ALLOW-FROM uri
Allows from specified URI.
X-Xss-Protection
This header field is actually kind of weird, it seems it was created for IE8, but has now spread to Chrome.
From what I can gather, it seems it was added so that servers can shut off the builtin XSS protection in IE8 via headers.
0
Turn off XSS protection
1; mode=block
The 1 keeps the protection on, and IE8 will actively try to sanitize the source of the page and replace one or more characters with '#'.
The mode=block modifier tells the browser to instead prevent rendering.
X-Content-Type-Options
nosniff
Basically, this tells the browser to not load a script, unless the MIME type actually specifies that it's a script. (text/javascript, application/javascript, etc)
Strict-Transport-Security
HTTP Strict Transport Security (aka HSTS)
Long story short, it tells your browser to only use HTTPS for this site.
The fields are as follows;
max-age
How long the browser should remember to only use HTTPS.
includeSubDomains (optional)
This parameter tells the browser whether or not this applies to subdomains too.
You can add these headers to your httpd, for example in nginx.conf is as easy as;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Xss-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security "max-age=31536000";