Add X-Frame-Options header to your HTTP responses to indicate if the page can be rendered in an <iframe>.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Add Content-Security-Policy header to your HTTP responses to indicate which assets the page is allowed to load.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Restrict the origin policy to the minimum. Use header Access-Control-Allow-* carefully.
See https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Restrict access to your cookies by adding Secure, HttpOnly and SameSite attributes.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
Protect unsafe HTTP methods (POST, PUT, DELETE) with a CSRF token. Never use safe methods to persist data.
See https://symfony.com/doc/current/security/csrf.html
Never trust Forwarded, X-Forwarded-For or X-Forwarded-Host headers.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
Add Strict-Transport-Security header to your HTTP responses to prevent the browser to load the page in HTTPS only.
See https://developer.mozilla.org/en-US/docs/Glossary/HS