Client Getting Security Scorecard Issues

We’re getting tested by securityscorecard.com and the test came back today with some issues. This is stronger testing than normal. Wondering how we can edit these?

1. Website Does Not Implement HSTS Best Practices
Every web application (and any URLs traversed to arrive at the website via redirects) should set the HSTS header to remain in effect for at least 12 months (31536000 seconds). It is also recommended to set the ‘includeSubDomains’ directive so that requests to subdomains are also automatically upgraded to HTTPS. An acceptable HSTS header would declare: Strict-Transport-Security: max-age=31536000; includeSubDomains;

2. Website does not implement X-Frame-Options Best Practices
Add one of the following headers, using the ‘DENY’ or ‘ALLOWFROM’ directive, to responses from this website: X-Frame-Options: DENY’ X-Frame-Options: ALLOW-FROM https://example.com/’

3. Content Security Policy Contains Broad Directives.
Explicitly specify trusted sources for your script-src and object-src policies. Ideally you can use the ‘self’ directive to limit scripts and objects to only those on your own domain, or you can explicitly specify domains that you trust and rely upon for your site to function.