> Second, in many environments (managed hosting etc.) there is not an easy way (or indeed a way at all) of adding headers to responses.

It's getting better. Most serverless hosts (including Cloudflare, which this site uses) follow the (req: Request) => Response pattern, which by definition allows sending headers.

What are you talking about. Any non-static hosting will let you specify headers with a plain php function. Any baseline shared hosting offers that kind of control and has done so for the past 20+ years.

is that something that could have be done in the dot file for server override? what was it, .htaccess or something?