Security headers with transform rules

I tried to implement common security headers with transform rules like this answer:

The answer sends security headers with all SSL/HTTPS responses.
I think the security headers need to be send only with the HTML file response and not with the other files (js/css/…). Is that true?
How to implement security headers with transforms rules with html files only?

Depending if your web app is showing .html in the URL address bar, if yes, then using Transform Rules I would just add the “AND” operator, and use the “URI Path” then “contains” and write in the input field “.html” (without double quotes) to match every “.html” document.

Thanks, it works but…
It adds the security header to html files only and fails the mozilla test:

I added Referrer-Policy, Strict-Transport-Security, X-Frame-Options and X-XSS-Protection headers. Should I add all the headers to all file type (css,js,png,ico,json,…)???

Didn’t we want that at first? :thinking:

What do you get as a result?

Maybe it fails because you don’t have all of them → neither I do have all of them added.

Only the ones I use and I find usefull in my case → but they are defined within the SSL/TLS tab → Edge Certficates → section “HTTP Strict Transport Security (HSTS)” → Change HSTS Settings.

Others I define for my whole domain/website either at the origin host/server or by Transform Rules - and not only per specific filetype.

With headers added to all the file types I get C+ grade in mozilla test.
With headers added to html files only I get F grade…
What file types need to add the security headers?