The main tools I (Jacques Le Roux) recommend is https://cyh.herokuapp.com/cyh, to complete (thanks to Forrest Rae) there is also https://securityheaders.io/ and https://report-uri.io/
You can also find very good information at https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ and more limited at https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Though this is not only about HTTP headers here is an interesting view on what is supported by top browsers
Here is the state we had (2015-12-12):
...