X-XSS-Protection
This header enables the Cross-site scripting (XSS) filter in your browser. If the filter is enabled, when a cross-site scripting attack is detected, in order to stop the attack, the browser will sanitize the page, or the browser will prevent rendering of the page.
X-Content-Type-Options
Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers.
Clickjacking Defence
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden/invisible page. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.