I just got a setup, a golang web api behind a caddy server that has HTTPS by default via Let's Encrypt, the server proxies all requests to the web api. So I went around to test my webserver "security" on sites such as securityheaders.io. They gave me an F, so I added the headers they demanded and I got an A
Access-Control-Allow-Methods "GET, POST, OPTIONS"
Strict-Transport-Security "max-age=31536000;"
Content-Security-Policy "script-src 'self'"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
-Server
These are the headers I currently have, but I'd like to know if they are necessary for security when what I'm making is not a website but rather a API webserver, something like
Access-Control-Allow-Methods "GET, POST, OPTIONS"
-Server
So basically, all those security headers necessary if you want to just request your API?