Hi,
In the spirit of improving the security headers part of the documentation, here are a few links:
- https://observatory.mozilla.org/analyze.html
- https://infosec.mozilla.org/guidelines/web_security#Content_Security_Policy
- https://developer.mozilla.org/fr/docs/HTTP/CSP
I honestly have no expertise on this and it looks like we could spend a lifetime on that topic 
But there may be a few things we can do that would not be nitpicking ?
Cheers