I was going to write a guide to security-related HTTP headers, but it turns out that someone has already done it. So here you go, it's worth a read. I have locked down the out-of-the box Tuskfish headers a bit tighter. The content security policy header can break a lot of stuff (read 'any inline script or style sheet') and requires manual tweaking, depending on what you're doing.