THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
The main tools I (Jacques Le Roux) recommend is https://cyh.herokuapp.com/cyh
You can also find very good information at https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ and more limited at https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Here is the state we had (2015-12-12):
Here are some documentation and links for each header:
Global reference notably are
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
X-Frame-Options
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#X-Frame-Options_Header_Types
https://www.owasp.org/index.php/Clickjacking
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options (interesting for devops, tells about Apache, Nginx and HAProxy)
Strict-Transport-Security
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html (for devops)
About the preload issue if you really care: https://hstspreload.appspot.com/
X-Content-Type-Options
According to Wikipedia and Owasp, the only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.
X-Powered-By
It's recommended to not use the X-Powered-By header.
Tomcat documentation: <<The xpoweredBy attribute controls whether or not the X-Powered-By HTTP header is sent with each request. If sent, the value of the header contains the Servlet and JSP specification versions, the full Tomcat version (e.g. Apache Tomcat/7.0.0), the name of the JVM vendor and the version of the JVM. This header is disabled by default. This header can provide useful information to both legitimate clients and attackers.>>
OFBiz users can decide to change this parameter if they want