On the way to more complex and distributed NC installations one step should be implementing Subresource Integrity as per the W3 standard. Even with most NC installations serving all their resources from a single origin I see this as a moderately cheap way to increase security, and for anything involving CDNs or elaborate caching schemes I would consider it a best practice until proper code signing is reliable and practical in a web environment.
I am unsure what the best way to implement it is. Many NC installations run on ‘simple’ webhosting with little or no control over what software or modules are available, and I sure as hell do not want to see some home-grown PHP crypto implementation in NC, so this would have to be kept optional and contain a capability check on the server before enabling, otherwise supporting browsers will go havoc with warnings.