I have two websites at the moment.
The “admin” one has all the security headers recommended by https://securityheaders.io.
The “api” has none, which is deliberate. I know that this application will only serve JSON and is a relatively simple API.
Is this bad practise? Do the headers protect against any issues for a API-only site?
I already have HSTS headers set in both scenarios, which is obviously important.