Security blog

Step-by-step guides to help your team set security headers correctly, avoid regressions, and ship safer web applications.

8 min read • Website owners, DevOps, platform teams

HSTS done right: enforce HTTPS without breaking subdomains

Learn how to configure Strict-Transport-Security safely, choose max-age values, and roll out includeSubDomains and preload in stages.

12 min read • Frontend teams, security engineers

Build a practical CSP in phases, avoid unsafe-inline pitfalls, and keep third-party scripts under control.

10 min read • Engineering managers, full-stack teams

A practical checklist for X-Frame-Options, Referrer-Policy, X-Content-Type-Options, Permissions-Policy, COOP, and CORP.