I have an application stack that uses several subdomains of subdomains.. eg develop.api.module.mydomain.com
develop.api.module.mydomain.com is a .net core 3.1 API
I set the headers using nwebsec.aspnetcore.middleware eg
app.UseXfo(xfo => xfo.Deny());
app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseXContentTypeOptions();
app.UseReferrerPolicy(opts => opts.NoReferrer());
When I make a request to the API at this URL I can see the response headers are set correctly as expected
BUT! securityheaders.io isn't happy :)
Is that something I can fix in terms of getting securityheaders.io to recognise the response headers are indeed coming back?