Subresource Integrity (SRI) not implemented, and external scripts are loaded over HTTP or use protocol-relative URLs via src="//...".

Load external scripts over HTTPS, and add SRI to them.

Content Security Policy (CSP) header not implemented

Implement one, see MDN's Content Security Policy (CSP) documentation.

X-Content-Type-Options header not implemented.