I test my website using https://observatory.mozilla.org/analyze and I got F score.
The reasons are:
Content Security Policy (CSP) header not implemented
X-XSS-Protection header not implemented
X-Frame-Options (XFO) header not implemented
...
I serve my website using CloudFront.
Where I put those missing headers to CloudFront?
See Question&Answers more detail:os