I think the weight of your security checks should not be the same across them all. I understand it's hard to generalise because the nature of the web app may depend more one or another but the general distribution for importance is still far from 1:1. Some suggestions:
X-XSS-Protection - is already the default and it's not used by Mozilla. I would downplay the importance of this one;
Strict-Transport-Security - in the absence of having the domain on the HSTS preloaded list, this is really important, it's supported by all major browsers and it's a W3C standard. I think it's at least 2 times more important than several other things like secure cookies (much smaller coverage and redundant with HSTS), X-XSS-Protection (reasons explained above), Referrer policy (the presence of a referrer policy may be good or bad - unsafe-url vs same-origin)
On SSL - i think a self-signed cert for a public website is a lot worse than all the theoretical attacks combined. If you can throw any certificate and get away with it for MitM, you don't even need to contemplate how to pull a Poodle or CRIME attacks which are likely to be impossible depending on the browser, Logjam and network conditions. The only exception I see, is heartbleed high is also very high risk (although is not really an attack on SSL) and it's a very practical attack.
I think the weight of your security checks should not be the same across them all. I understand it's hard to generalise because the nature of the web app may depend more one or another but the general distribution for importance is still far from 1:1. Some suggestions: