As security is getting more and more important these days, as if it wasn’t before… you probably add some response headers to add some extra security. Problem is, I find, that if you set them to strict or to easy, you will need a new deploy, if you manage them in your web.config.
There is a nice library called NWebsec that you can use to do it in code. But you will also need a deploy to change your settings.
I have uploaded a package to EPiServer NuGet where you can manage them in admin mode. It uses NWebsec to enforce the settings you configure there. The source is on GitHub as usual.
Just remember to exclude the NWebsec assemblies from being scanned by EPiServer, as an error will be thrown.
<episerver.framework> ... <scanAssembly forceBinFolderScan="true"> <add assembly="*"/> <remove assembly="NWebsec" /> <remove assembly="NWebsec.Core" /> <remove assembly="NWebsec.Mvc" /> </scanAssembly> ... </episerver.framework>
One last thing, as the settings are loaded on start up, changing them will restart your website. Just so you know.