Key security headers:
HSTS (force HTTPS),
CSP (prevent XSS),
X-Frame-Options (prevent clickjacking),
X-Content-Type-Options (prevent MIME sniffing).
Security headers are free and easy to implement. HSTS with preloading is strongest HTTPS enforcement. CSP is the most powerful XSS mitigation — define exactly which sources scripts can load from. Check with securityheaders.com.