Every developer needs access to some servers for example to check the application logs.
Usually, this is done using public-private key encryption where each developer generates their own public-private key pair. The public keys of each developer are added to the authorized_keys file on each server they should have access to.
rec. by https://calpaterson.com/metadata.html : "X-Content-Type-Options, X-Frame-Options and X-XSS-Protections are all pretty baffling and probably mostly mis-set or ignored. How many sites set Content-Security-Policy correctly, or at all? If you're interested in this, I highly recommend the book The Tangled Web. "