Following the principle of delivering a hardened platform out of the box (XSRF token, preventing cookie stealing etc), I think we should adopt the following countermeasure as well: CSP

See for reference: http://en.wikipedia.org/wiki/Content_Security_Policy
and for an example usage/explanation (even though that one involves usage of an external firewall): http://blog.spiderlabs.com/2013/10/phpnet-site-infected-with-malware.html