HTTP

In order of preference, set these headers in:

X-Content-Type-Options

If not already set (like via SECURE_CONTENT_TYPE_NOSNIFF in Django), set the header to:

nosniff

Strict-Transport-Security (HSTS)

If not already set (like via SECURE_HSTS_SECONDS in Django), set the header to:

max-age=31536000; includeSubdomains; preload