I have to tell you something important about security headers, recommended by all security experts as a protection against cross site scripting, requesting, etc. What security experts often forget to mention is this simple fact: all headers are instructions, sent from the web server to your browser. The browser should respect them. What happens if it does not?
Do you trust your browser? Obviously you do, why not. Firefox or Chrome, Edge or Safari, these cool products have been developed by serious organizations, they have the best ever dev teams and proper QA process, all is good. Wait a sec, are you absolutely sure you are browsing in the safe haven of one of them? Or perhaps you clicked a link in a mobile app and you are still in the “sandbox” browser of this app? It happens when you click a link in Lin or Twitter or Facebook app. Of course, their inner browsers are built according to the best standards and practices. Or not? What about inner browsers of other mobile apps? Do you trust them? How do you know they respect security headers of your web server? Even if they do, they have access to the htmls and java scripts of your website and can modify them after they are loaded from your website and before they are executed in the browser.
Let’s go further, your website has all the security headers and even a two-step authentication, users access it through the most updated version of Chrome, your product passed penetration tests from a well-known security agency, all their recommendations are implemented. What can go wrong now?
I do believe in vaccination, I vaccinate my children. I treat security headers as a vaccine. Have them. Though remember, no vaccine protects you from guns or knives of bad guys who really want your wallet.