Improve security headers documentation

Refresh and reorder links

h5bp/security/content-security-policy.conf

@@ -19,9 +19,10 @@
 # such as:
 # https://csp-evaluator.withgoogle.com
 #
-# https://csp.withgoogle.com/docs/
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
 # https://www.w3.org/TR/CSP/
+# https://owasp.org/www-project-secure-headers/#content-security-policy
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# https://developers.google.com/web/fundamentals/security/csp
+# https://content-security-policy.com/
 
 add_header Content-Security-Policy $content_security_policy always;

h5bp/security/referrer-policy.conf

@@ -17,7 +17,9 @@
 # https://securityheaders.com/
 # https://observatory.mozilla.org/
 #
-# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+# https://www.w3.org/TR/referrer-policy/
+# https://owasp.org/www-project-secure-headers/#referrer-policy
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
 
 add_header Referrer-Policy $referrer_policy always;

h5bp/security/strict-transport-security.conf

@@ -28,9 +28,9 @@
 #     https://hstspreload.org/#deployment-recommendations
 #
 # https://tools.ietf.org/html/rfc6797#section-6.1
+# https://owasp.org/www-project-secure-headers/#http-strict-transport-security
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 # https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
-# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/
 # https://hstspreload.org/
 
 add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;

h5bp/security/x-content-type-options.conf

@@ -9,6 +9,7 @@
 # user-uploaded content or content that could potentially be treated as
 # executable by the browser.
 #
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
 # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
 # https://mimesniff.spec.whatwg.org/

h5bp/security/x-frame-options.conf

@@ -29,9 +29,9 @@
 # (!) The `Content-Security-Policy` header has a `frame-ancestors` directive
 #     which obsoletes this header for supporting browsers.
 #
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
 # https://tools.ietf.org/html/rfc7034
-# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
+# https://owasp.org/www-project-secure-headers/#x-frame-options
-# https://www.owasp.org/index.php/Clickjacking
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+# https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options
 
 add_header X-Frame-Options $x_frame_options always;