Mozilla Observatory will test your website and assign it a letter grade based on how well your website implements things like implementing a good Content-Security-Policy, blocking clickjacking, enforcing HTTP Strict Transport Security, and so on.
When I started, this blog was rated F. After a few changes, it's now rated at B+ and I'm heading for A+. One of my other blogs started at A and became A+. That's because the other blog uses Hugo and a very recent theme.
This blog uses Pelican, which has been updated recently, but the theme is old. So it doesn't implement things like Subresource Integrity, where the blog passes along a hash so the browser can verify the JavaScript or CSS file hasn't been substituted.
Here's the netlify.toml for the Hugo blog
[[headers]]
for = "/*"
[headers.values]
Content-Security-Policy = "default-src 'none'; font-src https://fonts.gstatic.com; img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self'; style-src 'self'"
Referrer-Policy = "strict-origin"
X-Content-Type-Options = "nosniff"
X-Frame-Options = "SAMEORIGIN"
X-XSS-Protection = "1; mode=block"
and this blog
[[headers]]
for = "/*"
[headers.values]
Content-Security-Policy = "default-src 'https:'; font-src 'self' https://stackpath.bootstrapcdn.com https://fonts.googleapis.com; img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self' https://www.google-analytics.com https://code.jquery.com https://cdn.jsdelivr.net style-src 'self' https://cdn.jsdelivr.net https://stackpath.bootstrapcdn.com https://fonts.googleapis.com; base-uri https://www.siriusventures.com; frame-ancestors 'none'"
Referrer-Policy = "strict-origin"
X-Content-Type-Options = "nosniff"
X-Frame-Options = "SAMEORIGIN"
X-XSS-Protection = "1; mode=block"
It's possible to add these as Meta-Tags in the base template for each blog but it's much nicer to have them show up in the netlify.toml.