Security headers: Are they needed on subsequent requests (eg. Scripts, Images) after they have been sent on the main HTML request?
I had a discussion with PenTesters at my company today, who have said that security headers, like for example Content-Security-Policy, Strict-Transport-Security, Referrer-Policy and Permissions-Policy, should always be sent in the subsequent requests within one page (e.g. Images, Angular), even if they were sent already with the main request (in our case a JSF page).
My understanding was always that those things are inherited from the main request to the subsequent request and they don't add any security if sent with those.
Apart from the argument that they do not add much in size, is there any reason to include them in the subsequent request? From the point of view of user security or exploitability? I wasn't able to think up a reason why they should be included.
Example of the network trace:
https://somehost/request.jsf -> headers sent
https://somehost/angular-package.js -> no headers sent
https://somehost/logo.png -> no headers sent
https://somehost/font1.woff -> no headers sent
-- User navigates to another page --
https://somehost/request2.jsf -> headers sent
https://somehost/angular-package.js -> no headers sent
https://somehost/additionalImage.png -> no headers sent
