Cross origin resource sharing (CORS) blocks unintended sites from fetching contents of legitimate site.
Example:
If bank.com setup CORS that does not allow any external resource sharing access then attacker with malicious.com website cannot fetch data from bank.com.
Attacker can still write python script that can fetch data from bank.com however due to CORS attacker cannot setup malicious.com that uses JS to fetch data.
This protection is provided by the browser to protect User data such as cookies.
Strict: Cross site cannot access cookie and user redirected from cross site to original site cannot access cookie on original site. Required to visit original site (no redirection) to access the cookie.
Lax: Cross site cannot access cookie on original site, but user redirected from cross site to original site can access cookie on original site.
None: Cross site can access cookie on original site and redirected user can access cookie of original site.
These are directives to the browser that follows the response header that secures the website.
CSP/content-security-policy: Restricts where scripts, images and styles can load from. Mitigates XSS as attacker cannot source external (untrusted) scripts.
HSTS/(HTTP Strict Transport Security): Prevents HTTPS downgrade. Forces browser to use HTTPS.
X-Frame-Options: Prevents clickjacking by disallowing your site to be used in iframe.
X-Content-Type-Options: Prevents browser from guessing the content type of file uploads preventing MIME type attacks.