best-practice OWASP HTTP response headers ( https://owasp.org/www-project-secure-headers/ ) for Rust
HTTP-Strict-Transport-Security = "max-age=31536000 ; includeSubDomains"
X-Frame-Options = "deny"
X-Content-Type-Options = "nosniff"
Content-Security-Policy = "default-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
X-Permitted-Cross-Domain-Policies = "none"
Referrer-Policy = "no-referrer"
Clear-Site-Data = "\"cache\",\"cookies\",\"storage\""
Cross-Origin-Embedder-Policy = "require-corp"
Cross-Origin-Opener-Policy = "same-origin"
Cross-Origin-Resource-Policy = "same-origin"
Permissions-Policy = "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()"
Cache-Control = "no-store, max-age=0"
Pragma = "no-cache"
https://owasp.org/www-project-secure-headers/
tower-default-headers: source code, crate