OK, the real saying is
the fish rots from the head down: if your CEO allows awful behaviours to happen at work without intervention, then they should take the blame when those behaviours become normalised in the organisation that they run. This post is not about that.
When you’re getting a pen test for your web application, testers are duty bound to give you findings about your missing HTTP headers. It’s important, but it also muddies the waters with findings that anyone could generate. If you visit Security Headers and ensure that your application has a clean scan before the pen testers show up, you’ll get a cleaner report.
I scanned this site last week and got a D. After reading the recommendations and adding some Zeit config, it’s an A+. Probably not a huge acheivement for this static site, but a good tool to have in the shed.