Key security headers: HSTS (force HTTPS), CSP (prevent XSS), X-Frame-Options (prevent clickjacking), X-Content-Type-Options (prevent MIME sniffing), Referrer-Policy, Permissions-Policy.
Security headers are free and easy to implement — no excuses for not having them. HSTS with preloading is the strongest HTTPS enforcement. CSP is the most powerful XSS mitigation control.