Default Security Headers

I was reading an article on Google+ I found through Hackernews:
http://www.barracudalabs.com/wordpress/index.php/2011/07/21/google-gets-a-1-for-browser-security-3/

I was wondering if these headers should be turned on by default in
Rails?

As far as I know, some of them can be sent by default, while others
can only be sent when force_ssl is on.

I think adding the X Headers by default would be fine. I don't think we
should muck with the cookie one though.