The main tools I (Jacques Le Roux) recommend is https://cyh.herokuapp.com/cyh
You can also find very good information at https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ and more limited at https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Here is the state we had (2015-12-12):
Here are some links for each header:
Global reference notably are
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
X-Frame-Options
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#X-Frame-Options_Header_Types
https://www.owasp.org/index.php/Clickjacking
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options (interesting for devops, tells about Apache, Nginx and HAProxy)
Strict-Transport-Security
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html (for devops)
About the preload issue if you really care: https://hstspreload.appspot.com/