To protect against cross-site scripting (XSS), requires the HTTP header X-Content-Type-Options: nosniff
for all responses. Also include Content-Type: application/json; charset=utf-8
in the response header.
To protect against cross-site request forgery (XSRF), requires the HTTP header X-XSRF-Protected: 1
for all requests.