I have to say I was delighted to see that Plesk.com (unlike so many sites) has all its security headers* in order, but it would be really good if this was a thing that could be operated easily from within Plesk given the massive importance of them. It would also tidy up A LOT of the stuff to do with many of the things that people are asking on here with things like X- headers, Pragma and Caching, etc.

There are a few plugins that are usable for this for Wordpress (probaly other things, but not the admin panel or customer accounts). And that depends on Wordpress users using it and only for their individual sites. Plus they are notoriously problematic for those users who do not know how to use them, and so pulling it back to admin would be much better. One example for Wordpress, to show what I am thinking of (the one I use but have no 'interest'/connection with the maker of, is this one (maybe as an indication of what I would think would be good):

https://wordpress.org/plugins/gd-security-headers/

this is comprehensive and powerful, but it is a bit complex compared to some others. Still it would simplify/enhance things a lot compared to just plugging values in manually to the Apache/Nginx/Lightspeed htaccess/etc. editor (the one in that tiny box that is SO problematic to use).

Here is Plesk's, which whilst not A+ is still much better than most of the web - would be great to see Plesk overtake cPanel and other things like that in doing that, if nothing else, on the Agency Plan

https://securityheaders.com/?q=plesk.com&followRedirects=on

• well, no permissions policy, no referers policy, risky contents-security policy, risky access control allow, none of the future-proofing headers, not using HTTP/3, revealing use of Plesk and PHP (and version) and server, still using public caching (but secure cookie policy!), using Lightspeed (which we don't get on the agency plan), no pinning, no brotli, etc. but still, better than GCHQ!