Add additional suggested security headers

Author: icco

lib/defaultHeadersMiddleware.js

@@ -10,7 +10,13 @@ module.exports = (req, res, next) => {
   res.set({
     // this should come after express.static otherwise it overrides
     'Cache-Control': 'max-age=300',
+
+    // https://observatory.mozilla.org/ for recommended settings
     'Strict-Transport-Security': 'max-age=15768000; includeSubDomains; preload',
+    'Referrer-Policy': 'no-referrer',
+    'X-Content-Type-Options': 'nosniff',
+    'X-XSS-Protection': '1; mode=block',
+    'X-Frame-Options': 'SAMEORIGIN'
   });
   next();
 };