The attached image has the same issues on a few sites that I've published with Webstudio. Is this something that can be improved on my side (cloudflare or within the builder) or will it need to be Webstudio hosting?
You can surely set them if you proxy requests via worker or maybe even just in cf settings not sure, but we should set those headers ourselves anyways.
I am not sure any of these are actually a security threat in our case @Ivan Starkov would know more
All such headers are usually on framework ie remix in our case. Anyway same can be done with meta tags - <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';" /> Not sure we need this as we are allowing 3rd party scripts, we are allowing 3rd party images etc. And as of now default policies covers this
should we create an issue to keep these reports somewhere in case this discussion comes up again? would be good to have a pointer to link to with these specific answers there
I think there are 3 headers mentioned there, are they all not a security issue? Can you please address each of them individually in the issue. If its not a security concern, its fine, I just want to have a written statement in the issue I can link to if this comes up again.