http – Which security headers should be sent with static files such as css/js/images


Of the security headers listed here: https://owasp.org/www-project-secure-headers/ which ones should be sent with static files (css, js, images etc) and what does setting them each achieve in that context. Assuming a situation where they are already set strictly in the html response.

Added my current assumptions followed by my thoughts on what header to set:

  • HTTP Strict Transport Security (HSTS)
    • I assume it makes sense to set this to avoid static files being sent over http
    • Strict-Transport-Security: max-age=31536000
  • Content-Security-Policy
    • I assume most of the src destinations would be enforced by the csp on from the html anyway, frame ancestors would stop someone loading your files on in an iframe but not just directly loading it anyway so is pointless?
  • X-Frame-Options
    • Same assumption as csp would stop other domain loading file in iframe but not directly so no point?
  • X-Content-Type-Options
    • this makes sense to set although still not sure if it’s needed when set on the original html response anyway
    • X-Content-Type-Options: nosniff
  • Referrer-Policy
    • assume there’s no benefit of having the referrer header sent anyway
    • Referrer-Policy: no-referrer
  • X-XSS-Protection
    • owasp in the link above recommends setting this to 0 now everywhere which I didn’t know until I wrote this question… Can xss be achieved inside a static file anyway
    • Do I need to change everything from X-XSS-Protection: 1; mode=block to X-XSS-Protection: 0 including on static files

I saw the following question but is quite old, just one answer and no reference to CSP