Scott Helme writes a lot about security and runs a great site SecurityHeaders that will check your website for common security issues caused by web server configuration.
I spent this weekend re-configuring the hosting for StaticForms to address all the issues identified (except Feature-Policy, which I'm working on) and managed to get a "A".
StaticForms is an ASP.NET application hosted on Microsoft Azure. Blog post coming soon on how to use
web.config to configure an application securely.