Adding Response Headers for Security

I'm looking to add some HTTP Response Headers for security, such as the ones below. I don't see a place within the Concrete5 front end to add these headers, and can't seem to find the file they're generated from while digging around in the back end. What's the best practice here?

(Examples copied from )

strict-transport-security: max-age=31536000; includeSubDomains
x-frame-options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

View Replies:
Mnkras replied on at Permalink Reply
We do set x-frame-options, but the other ones aren't set by default (I don't think) but you can pretty easily set the via a middleware, this is the one for x-frame-options: