I was just going to make a feature request about security headers, but found this thread in the search. Adding these would be super beneficial, as testing my weblog comes back with a D rating over at securityheaders.com.
It shouldn’t be too much longer before we’ll have custom header controls for both omg.lol profile pages and weblog.lol. I did make a couple of small (and hopefully safe) global updates just now, which should earn you an “A” on securityheaders.com — though it’s admittedly not a well-deserved grade because the CSP is super lenient. As a global policy for 4,000+ omg.lol profile pages, it kind of has to be (since all kinds of folks have all kinds of stuff going on with their profile pages). The other issue is that I can’t enable the X-Frame-Options header since there’s no explicit valid “allow” option (only directives for denying in general or when not on the same origin) and we do have members who display their omg.lol pages in frames on other sites.
Once everyone can define their own headers, though, the freedom and flexibility to be as restrictive or permissive in various security policies will be in everyone’s individual hands. Stay tuned!