Security·Apr 5, 2026·1 min read

Secure by default: the web headers we ship on every site

Most security wins are free — they're just configuration. Here are the defaults that get you to an A+ grade.

A surprising amount of web security is just sensible defaults that nobody set. Here's the baseline we ship on every project.

The headers that matter

Strict Content-Security-Policy
HSTS to force HTTPS
X-Content-Type-Options: nosniff
Referrer-Policy and Permissions-Policy
Sensible cookie flags

Pair those with dependency scanning and a WAF at the edge and you've closed the easy doors before anyone tries them.

Building something like this?

We’d love to help you ship it.

Talk to our experts

More insights

RAG in production: grounding LLMs on your own data

Shipping at 95+ Lighthouse: a performance playbook

From AI experiments to reliable, shipped products

CGCodeGenIT

Hi there 👋
How can we help you?

Start a projectTell us what you need — reply within 1 business day→Email usInfo@codegenit.com→Chat on WhatsAppMessage us instantly→

Typically replies within 1 business day