Most important security feature to enable via headers is Trusted Types.
Trusted Types disallows using APIs dynamically evaluating or loading JavaScript. This largely prevents client-side remote code execution vulnerabilities (XSS).
Static site design + strong CSP does the rest.
Conversation
Replying to
Serous question: what is the best way to implement client-side Markdown renderers?
1
Replying to
Yes, that still works fine with strict Trusted Types. If you do that rather than using innerHTML, you can simply enable strict Trusted Types rather than needing policies to whitelist HTML sanitizers / generators. That's what TT policies are for, like using unsafe blocks in Rust.