Title here
Summary here
Headers
Security headers are a low-cost way to harden your site at the edge.
Start with a safe baseline
Use these headers for all routes (example for Netlify):
[[headers]]
for = "/*"
[headers.values]
Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options = "nosniff"
X-Frame-Options = "SAMEORIGIN"
Referrer-Policy = "strict-origin"
Permissions-Policy = "geolocation=(self), microphone=(), camera=()"Add CSP separately and keep it strict
Treat CSP as its own policy and iterate carefully as scripts and integrations evolve.
- Start with
default-src 'self' - Add only required origins
- Prefer nonces/hashes over
unsafe-inline
Be intentional with cache headers
Apply long-lived caching to fingerprinted static assets, and shorter/revalidated caching to HTML.
Validate after deployment
In browser dev tools and scanners, confirm:
- Headers are present on HTML and static assets
- HTTPS and HSTS are active
- No unexpected framing or MIME issues
- No CSP violations on critical pages