For additional protection, you can edit $MM_HOME/tomcat/conf/web.xml
By default, the application sets the following to the recommended
values:
* Content-Security-Policy
*
X-Content-Type-Options
* X-XSS-Protection
The X-Frame-Options is not set by default, it can be done manually
by adding the following fragment:
<init-param>
<param-name>X-Frame-Options</param-name>
<param-value>sameorigin</param-value>
</init-param>
The HSTS headers are not necessary as when the application is
configured for HTTPS then HTTP is not allowed at all, and do not provide
automatic redirection. However, you may want/need to add it, you can do so
manually by adding the following fragment:
<init-param>
<param-name>Strict-Transport-Security</param-name>
<param-value>max-age=31536000;
includeSubDomains</param-value>
</init-param>