Allows a server to declare an embedder policy for a given document.

Prevents other domains from opening/controlling a window.

Prevents other domains from reading the response of the resources to which this header is applied.

Controls resources the user agent is allowed to load for a given page.

Allows web developers to experiment with policies by monitoring, but not enforcing, their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

Allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs.

Provides a mechanism to allow and deny the use of browser features in its own frame, and in iframes that it embeds.

Force communication using HTTPS instead of HTTP.

Sends a signal to the server expressing the client's preference for an encrypted and authenticated response, and that it can successfully handle the "upgrade-insecure-requests" directive.