Set-Cookie Secure – This tells the browser to only send cookies over a secure (SSL) connection.  So if the site happens to hit a page that is not SSL, then the cookie will not be sent.

Set-Cookie HttpOnly – This prevents the cookie from being accessed by client side script.

Both of these cookie attributes help to prevent  session hijacking by only sending cookies when appropriate.

X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type.  For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image.  So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html.

X-Frame-Options: SAMEORIGIN – This tells the browser to only render frame pages from the URL hosting the main page.  This prevents Clickjacking attacks against the user.  Clickjacking is a browser-based attack that tricks the user into clicking on one thing but then performs a different action, such as following a user on Twitter.

X-XSS-Protection: 1; mode=block – This allows the browser to detect a cross site reflection attack.  If the browser sees a potential reflection attack, it will prevent the page from rendering in the browser.  Instead, you will see something similar to this depending on the browser: