Enable HSTS once HTTPS is solid across the whole host (includeSubDomains when ready).
Start CSP in report-only, then tighten script-src and object-src until you can enforce.
Set X-Frame-Options or frame-ancestors, Referrer-Policy, and Permissions-Policy as a baseline.