The package should update the web.config (and register services, if needed) to set various security relevant options. Note that there will have to be a provision to enable HTTP for local test-deployment while still using the package. -> Design=TBD
Same-origin policy via X-Frame-Options and CSP2
Use both frame-ancestors and (TBD) default-src. frame-ancestors is not supported in MS Edge. Exact behavior of defuult.src must first be evaluated.
Enable HSTS via headers HSTS is a domain-level setting and should be configured by the server administrator, not the application.