The main tools I (Jacques Le Roux) recommend is https://cyh.herokuapp.com/cyh
You can also find very good information at https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ and https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Here is the state we had (2015-12-12):