#StackBounty: #http-headers Is it considered bad practise to not have security headers on my API?

Bounty: 50

I have two websites at the moment.

  • admin.example.com
  • api.example.com

The “admin” one has all the security headers recommended by https://securityheaders.io.

The “api” has none, which is deliberate. I know that this application will only serve JSON and is a relatively simple API.

Is this bad practise? Do the headers protect against any issues for a API-only site?

I already have HSTS headers set in both scenarios, which is obviously important.


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.