I notice HSTS is supported but you're not "baked into chromium or firefox source code yet"
Obviously you're aware of this, as duckduckstart.com is on there, but it's an interesting decision just to use headers.
But CSP and HPKP headers aren't being used. Any plans to implement HPKP to limit MITM?
I know the whole PKI is pretty broken, and HPKP can't stop some forms of MITM, but it would drastically reduce it, and without breaking local proxies, antivrus etc.. where local manually installed CA certs are being used.
It's just in keeping with not being tracked.
So CSP headers are very useful here too. They would cost you more dev time, but they promote best practise, and severely limit side channel attacks from injected code and so on...
Just a thought from a very happy quacker :)