Yes you can, run your website on SSL/TLS. They can only inject headers in traffic they can inspect, which they can with plain HTTP, because it’s just plain text, but they can’t do that with SSL/TLS, because the data is encrypted.
The added advantage is that all traffic between the customer and your website is encrypted, so even if someone was snooping somewhere in the middle they would only know the person was somewhere on your website, but couldn’t tell what they were looking at.
It’s time to ditch HTTP altogether and make SSL/TLS mandatory.
thank you that is interesting. but how would you go about running a site on “SSL/TLS” and would it preclude it being a public site? Would there be an added expense for the https://ssl?
thx
D