Hi @zimny 
I saw you’re raising few security concerns about NS default configuration and as @davidep any contribute to improve current situation is welcome!
We are following upstream defaults, but this doesn’t mean we couldn’t hardening it 
Do you have a public document or procedure are you using to hardening your installation?
Maybe we could create a special section inside the manual.
Please, also feel free to the raising discussion about a very similar feature: GDPR and SSL hardening