We started to implement security headers in all our public web services. This article has some examples of how I implemented them in F5 and/or Apache.

 

For HTTP Strict Transport Security (HSTS) I used an iRule. (current max-age is 181 days)

when RULE_INIT {
set static::max_age 15638400
}
when HTTP_RESPONSE {
  #HSTS
  HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"
}

If you don't have an F5 you can implement the HSTS header in apache as well like this:

Header append Strict-Transport-Security "max-age=63072000; includeSubdomains;"

The other Security Headers are in Apache if possible.

RequestHeader set X-Forwarded-Proto "https"

Header append X-Frame-Options SAMEORIGIN
Header append X-XSS-Protection "1; mode=block"
Header append X-Content-Type-Options nosniff
Header append Content-Security-Policy "frame-ancestors 'self' https://*.cloudfront.net https://*.googleapis.com https://fonts.gstatic.com https://*.youtube.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://s.ytimg.com https://www.google.com https://www.google.be https://usage.trackjs.com https://i.ytimg.com"
Header append x-webkit-csp "frame-ancestors 'self' https://*.cloudfront.net https://*.googleapis.com https://fonts.gstatic.com https://*.youtube.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://s.ytimg.com https://www.google.com https://www.google.be https://usage.trackjs.com https://i.ytimg.com"
Header append X-Content-Security-Policy "frame-ancestors 'self' https://*.cloudfront.net https://*.googleapis.com https://fonts.gstatic.com https://*.youtube.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://s.ytimg.com https://www.google.com https://www.google.be https://usage.trackjs.com https://i.ytimg.com"
Header append Referrer-Policy "strict-origin-when-cross-origin"

Or for Java based applications we also use an iRule:

when HTTP_REQUEST { 
HTTP::header insert X-Forwarded-Proto "https"
}
when HTTP_RESPONSE {
#X-XSS-Protection
HTTP::header insert X-XSS-Protection "1; mode=block"
#X-Frame-Options
HTTP::header insert X-Frame-Options "SAMEORIGIN"
#X-Content-Type-Options
HTTP::header insert X-Content-Type-Options "nosniff"
#CSP
HTTP::header insert Content-Security-Policy "frame-ancestors 'self'"
#CSP for IE
HTTP::header insert X-Content-Security-Policy "frame-ancestors 'self'"
#CSP
HTTP::header insert x-webkit-csp "frame-ancestors 'self'"
#referrere policy
HTTP::header insert Referrer-Policy "strict-origin-when-cross-origin"
}

Some info about Security Headers:

And to verify your Security Headers you can use this online tool

And the blog of the guy who made the test. He seems well informed and his blog has a lot of useful information and examples

And of course to verify that this site got an A rating!