To get to the Header settings first click on General Config, from the MCS main menu, and then Security Settings, as shown below.
Near the top of the page will be the Add Header section, as shown below.
To add a preset header simply click on the drop down menu, choose the header required, and click the Add Header button. The header will appear in the list above. To save the change scroll down to the bottom of the page and click Save Changes.
Headers can have a variety of options. So, if a preset header needs a tweak before adding simply select it from the drop down menu and click the Edit button (which will appear when selected). The preset header will then appear in a text field and can be edited. Once the edits have been made click the Add Header buton. Remember to save changes.
To add a completely custom header simply choose Custom from the drop down menu. A text field will appear to enter the header. Once the header has been entered click the Add Header buton. Remember to save changes.
Content Security Policy | Content-Security-Policy: default-src 'self'
Content Security Policy (CSP) is a security standard introduced to help prevent cross-site scripting (XSS) and other content injection attacks. It achieves this by restricting the sources of content loaded by the user agent to those only allowed by the site operator.
Enable Secure | Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
The HTTP Strict Transport Security (HSTS) header states that your website must only be accessed over the HTTPS protocol.
X Content Type | X-Content-Type-Options: nosniff
The X-Content-Type-Options header is used to protect against MIME sniffing vulnerabilities. These vulnerabilities can occur when a website allows users to upload content to a website however the user disguises a particular file type as something else. This can give them the opportunity to perform cross-site scripting and compromise the website.
XSS Protection | X-XSS-Protection HTTP: 1; mode=block
The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it.