A start to the newly added Transport security BDD story specifies secure HTTP headers for the base URL of the app:
Might refactor so that HSTS applies to the base URL, but X-Frame-Options and CSP are checked for on every page that’s part of a @Restricted Selenium flow.