Content-Security-Policy (CSP) for every page?

Question

I understand the benefits of using CSP, but is it a waste to send those headers for anything other than HTML files? Do I need to send CSP headers on an image, for example? For a .js file?

Answer 1

The Content-Security-Policy header only makes sense on HTML pages.

A security header that would make sense for a image or other resource would be Access-Control-Allow-Origin. But that is restrictive by default, so you don't need to do anything with that.