Answer: Set a Cache-Control header to 0 to prevent caching on client browsers. Set a Strict-Transport-Security header to 31536000 (1 year) to force the client to remember to only connect to the server with HTTP(S) secure. Lastly, set a Content Security Policy(CSP) HTTP header to tell the client what sources it can load scripts or images from and how to handle the execution of JS that is on the page which can allow to mitigate script injection.
Step-by-step explanation:
Cache-Control is a server response header that controls how long a browser should have cache for before it becomes stale. Setting it 0 tells the browser that it should never cache.
Strict-Transport-Security is a server response header that tells the client that after the first initial visit; that the browser should remember to only connect to it via HTTPS for the time that was set by header.
Content Security Policy (CSP) is a policy and also a header that can be in the response of a server that explains to the browser the limitations of content that can be loaded. Examples include: images, videos, JS sources, etc. The policy can also tell the browser that only an ad analytics software should be the only script that can run thus mitigating any other scripts that may be injected onto the site.