Tag
We scanned 5 popular security scanners with our own engine. None had a critical flaw — but every one leaked something Medium. Here is what, and why it matters.
A practical reference: the security headers worth setting, sane values for each, and exactly what every line buys you. Copy it, adjust the CSP, ship it.
You have HTTPS — but the first plain-HTTP request is still a weak point. HSTS closes it by telling the browser to never speak HTTP to your site again.
CSP is the strongest defense against cross-site scripting — and the most misunderstood header. Here is what it actually does, minus the jargon.
Security headers are short instructions your server sends with every page, telling the browser to switch on protections. Most sites are missing several. Here is the shortlist.