window.opener exploitable & security headers missing?

[Arinerron]

If I were you, I'd add rel="noopener noreferrer" to links to external urls so people can't exploit window.opener. Not very serious, but worth doing. Read more

I know, I know. Everybody hates when others tell them they are missing security headers. Is there any reason why the X-XSS-Protection header is not set? There are a few others I'd add too, but these depend on how the site is set up:

• Strict-Transport-Security: Require use of HTTPS
• Content-Security-Policy: Mitigates some XSS attacks
• Public-Key-Pins: Prevents MiTM attacks using rouge X.509 certs if the CA is compromised
• X-Frame-Options: Stops clickjacking attacks
• X-Content-Type-Options: Stops browser from MIME-sniffing

[mzhang28]

• window.opener
• strict transport security
• csp
• public key pins
• x-frame-options
• x-content-type-options