HSTSMiddleware adds only the Strict-Transport-Security with a duration of 2 years.

Middleware adds some headers suitable for secure sites.

ContentSecurityPolicy defaults to a strict policy disallowing iframes and scripts from any other origin save self (and Google Analytics for scripts).