The security best practices name a few headers that should be set
Checking a normal asset canister deployed on the IC shows the above mentioned headers are missing. Can we add them to the asset caniater? I guess some of them need to be dynamically set according to the needs of the canister 
Currently you cannot out of the box define HTTP headers options for the default assets canister.
The doc you linked is indeed a bit misleading at the momment. II set headers on the http response because II uses its own asset canister. Therefore they were able to develop such a thing (Rust code source).
So one option currently is to fork the certified asset canister and to develop - set - your headers if you want the canister to set those information on HTTP response.
When it comes to the CSP, another option, what I do, is to add statically the CSP in your HTML pages.
The trade off is that you cannot set all CSP options. e.g. X-Frame-Options can only be set by the backend. Being said, you can set most of the CSP rules from the frontend too. I let you decide if you see the glass half empty or half full 
.
If you use Sveltkit as I do you can define the information in the svelte.config its quite handy (my CSP source for example).
@cryptoschindler Thanks for bringing this up! We’re currently working on that. Once done, it will be possible to set custom HTTP headers.
Thanks for the response, very much looking forward to that and welcome to the forum 
are you following @peterparker 's recommendation for defining them in the dfx.json or what’s the plan?
very helpful, thanks for the example code. luckily i’m using svelte as well 
Thanks !
The feature is currently in a design phase. dfx.json was the initial plan, but it currently pivoted to having a JSON config file inside assets directory, however it may also be a subject to change, and I’m not sure what’s the schedule for solidifying the design, but we’re getting there!
