The main tools I (Jacques Le Roux) recommend is https://cyh.herokuapp.com/cyh
You can also find very good information at https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ and more limited at https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Here is the state we had (2015-12-12):
Here are some documentation and links for each header:
Global reference notably are
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
X-Frame-Options
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#X-Frame-Options_Header_Types
https://www.owasp.org/index.php/Clickjacking
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options (interesting for devops, tells about Apache, Nginx and HAProxy)
Strict-Transport-Security
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html (for devops)
About the preload issue if you really care: https://hstspreload.appspot.com/
X-Content-Type-Options
According to Wikipedia and Owasp, the only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.
X-Powered-By
It's recommended to not use the X-Powered-By header. Including information about the server provides no tangible benefit to either the browser or user. It can direct an attacker to known vulnerabilities in the server version and should therefore be avoided.
Tomcat documentation: <<The xpoweredBy attribute controls whether or not the X-Powered-By HTTP header is sent with each request. If sent, the value of the header contains the Servlet and JSP specification versions, the full Tomcat version (e.g. Apache Tomcat/7.0.0), the name of the JVM vendor and the version of the JVM. This header is disabled by default. This header can provide useful information to both legitimate clients and attackers.>>
OFBiz users can decide to change this parameter if they want