The web console should implement the latest HTML/JS security extensions, including the following...

• HTTP Strict Transport Security (HSTS)
  It should be possible for the console to be configured to tell browsers that HTTPS connections are preferred to HTTP

• Public Key Pinning Extension
  The HTTPS web server responds to the client with a list of hashed public keys, one of which must match the certificates(s) it supplies to client. This is to restrict the risk of man-in-the-middle attacks

• X-XSS Protection
  The server should respond with the header that tells browsers to enable cross-site scripting filters (on the assumption that the console will not ever ask the browser to make cross-site scripting requests)

• X Content Type Options
  The server should set the header that disables "content type sniffing" in the browser

• Content Security Policy
  The server supplies headers that indicate the type of content that a page, and its embedded resources, are likely to supply.

Most of these extensions are aimed at reducing the risks created by cross-site-scripting attacks. Probably most of them only require setting certain headers in the responses to the browser.