These are headers your server can set. They ask the browser to protect your users’ data against attackers in different ways:

Content-Security-Policy (often called CSP)

Only allow CSS/Javascript from certain domains you choose to run on your website. Helps protect against cross-site-scripting (aka XSS) attacks.

Referrer-Policy

Control how much information is sent to other sites in the Referer header. Example: Referrer-Policy: no-referrer.

(spelling is inconsistent with Referer header :( )

Strict-Transport-Security (often called HSTS)

Require HTTPS. If you set this the client (browser) will never request a plain HTTP version of your site again. Be careful! You can’t take it back!

Expect-CT

Certificate Transparency (CT) is a system that can help find malicious SSL certificates issued for your site. This header gives the browser a URL to use to report bad certificates to you.

X-XSS-Protection

Another way to protect against XSS attacks. Not supported by all browsers, Content-Security-Polcy is more powerful.