X-Content-Type-Options: nosniff
This header tells the browser to use the mime type as sent by the server in the Content-Type header.
The browser may otherwise guess the type of the content by reading its first bytes and e.g. if it sees a PE header - it may decide that the innocent JPEG file is actually an executable, following by asking the user to execute it.
X-Frame-Options: DENY
Using this header tells the browser not to allow showing itself inside a frame of any kind.
Why is that important? To prevent the "Click-jacking" attack. Suppose we create a rogue website that shows some tempting text asking you to click on a "Submit" button.
This button is displayed as an iframe of another website and this is the only part for that website that is visible.
The user might click on it and the submission button may do some action which we would like to avoid, such as login or delete or whatever.
This header may be replaced in newer browsers with:
Content-Security-Policy: frame-ancestors none;