Default Security Headers

I was reading an article on Google+ I found through Hackernews:

I was wondering if these headers should be turned on by default in

As far as I know, some of them can be sent by default, while others
can only be sent when force_ssl is on.

I think adding the X Headers by default would be fine. I don't think we
should muck with the cookie one though.