nodesec-manual-headers
var express = require('express');
var app = express();
app.disable('x-powered-by'); // disable X-Powered-By header
app.use(function(req, res, next){
res.header('X-XSS-Protection', '1; mode=block');
res.header('X-Frame-Options', 'deny');
res.header('X-Content-Type-Options', 'nosniff');
next();
});