That is outside the scope of httpd; use relayd.

I'd love to know what header you desperately need just for a static file, that would necessitate a behemoth such as nginx, or apache and all it's CVEs?

Simply having all the bells, whistles and free candy, doesn't determine 'toy' status

X-some-signal-to-tell-aws-that-its-okay-to-use-this-file: true

"Why would anyone need this" was also the typical dismissive response I got when looking around for help.

It's definitely a legitimate question - not everybody knows that AWS needs some silly header, nor why. OpenBSD people will be the first to call out unnecessary/outlandish requests unless you can back it up with a good reason outright.

I appreciate the fact that httpd doesn't attempt to be the end-all server for everybody - its primarily a lightweight way to run things like the BGPd looking glass, other tools, a simple website, or something via fastcgi. The term they use often when denying pull requests is 'Featuritis', which Apache & Nginx suffer from.

what would you recommend for someone needing to add headers?

If you're using httpd you'd probably pair it with relayd.

With relayd you can add custom headers, as this random example shows:

https://github.com/reyk/httpd/wiki/Using-relayd-to-add-Cache...

However that's probably not great still, because it's a global solution to a per-file problem.

I had the same issue (wanted to add a Content-Security-Policy header to a site hosted on OpenBSD httpd) and switched to https://www.lighttpd.net/