Check which security headers should be configured and add some nice four letter c-words (CORS/CORP/CSRF/…).