Developer forum

They are not.

Generally they do not make that much sense for static ressources. STS is the most important but only has to be send once for the domain.

X-Content-Type-Options is the only one you could argue to add for css/js files - but the rest is just adding more data to send with no real effect.

You can probably do something like this custom if you want it:

using Dynamicweb.Host.Core;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using System.Threading.Tasks;

namespace CustomCode
{
    public class SecurityHeadersPipeline : IPipeline
    {
        public int Rank => 200;  // Ensure runs after built-in pipelines

        public void RegisterServices(IServiceCollection services, IMvcCoreBuilder mvcBuilder)
        {
            // no extra services needed here, unless your middleware depends on some
        }

        public void RegisterApplicationComponents(IApplicationBuilder app)
        {
            app.UseMiddleware<SecurityHeadersMiddleware>();
        }

        public void RunInitializers()
        {
            // not needed here
        }
    }

    public class SecurityHeadersMiddleware
    {
        private readonly RequestDelegate _next;

        public SecurityHeadersMiddleware(RequestDelegate next)
        {
            _next = next;
        }

        public async Task Invoke(HttpContext context)
        {
            // Before next()
            
            // Always send certain headers
            context.Response.OnStarting(() =>
            {
                // HSTS (only on HTTPS)
                if (context.Request.IsHttps)
                {
                    context.Response.Headers["Strict-Transport-Security"] = "max-age=2592000";  // adjust as needed
                }

                // X-Content-Type-Options
                context.Response.Headers["X-Content-Type-Options"] = "nosniff";

                // Now decide if it's HTML
                var path = context.Request.Path.Value;

                bool isHtml = false;
                // Option 1: check path extension
                if (path != null && (path.EndsWith(".html", System.StringComparison.OrdinalIgnoreCase) 
                                     || path.EndsWith("/")  // maybe default pages
                                     || path.EndsWith(".cshtml")))  // if dynamic rendering etc
                {
                    isHtml = true;
                }
                // Option 2: check Content-Type later in response
                // but note that at this moment usually content type isn’t known

                if (isHtml)
                {
                    context.Response.Headers["X-Frame-Options"] = "sameorigin";
                    context.Response.Headers["X-XSS-Protection"] = "1; mode=block";
                    // Referrer-Policy etc
                    context.Response.Headers["Referrer-Policy"] = "no-referrer-when-downgrade";
                }

                return Task.CompletedTask;
            });

            await _next(context);

            // Optionally, after next, could check response.ContentType to see if HTML and add headers then if needed
        }
    }
}

Custom I can do anything, but I think that DW's default could be improved by sending the HTTP Security Headers, the easy fix would be to send them regardless of the resource, but that's up to you.

The issue right now is that none of them are set.

We have now added an option to add 'Strict-Transport-Security' and ''X-Content-Type-Options' for static resources and image requests from security settings.

x-xss is a deprecated flag only for older browser so is not included in this, and x-frame and referer policy seems not relevant for static resources and are also left out.

BR Nicolai