On my gentoo webserver I had to add those lines near the ssl configuration in the apache vhost config of the websites it’s serving, but I have to leave it to the nethserver pros to explain how this can be implemented with some e-smith template because I don’t know. Maybe they also decide to activate this option in the apache config?
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
Header set Content-Secure-Policy “default-src ‘self’;”