Remote Web Workplace fails penetration test on the HTTP security reponse headers

1) You can use the https://securityheaders.com tester (or may similar testers) for granular data about what to fix.

2) Ultimately you'll effect header changes in your Webserver config files, then restart your Webserver to serve new headers.

3) Likely you can use Powershell commands + I prefer just to edit Webserver configs to effect header changes.

File Editing == Simple

Scripting Edits == Complex (and can destroy files)

Since this is usually a one off (one + done) activity, file editing is the safer choice.

Also file editing will work one any Webserver, where scripted edits only work on 1x Webserver config.

Since the Essentials RWW is essentially a canned setup one needs to be careful about tweaking it.

The principle change that needs to happen is to enable TLS 1.2 and disable the other versions (SSL as well). Was this done already as it should have shown up in the security audit if it wasn't?

Hi Phillip, yes TLS 1.0 & 1.1 have been disabled along with other insecure protocols. It's just the missing headers that seem to be an issue on the report.
I think as David says I may have to change the Http securtiy headers manually. I'm not familiar with what I would have to add without breaking anything and was wondering if anybody else had made these changes. 

This is the first time I've ever seen this recommendation.

It's an oddball so I think it would be good to see the justification for it. It should have an explanation that is in-depth along with the methods, or pointers to the methods, to implement the requested changes.

Care to elaborate?