Measured in your browserWe advise on speed. We practice it.Loaded just now · real numbers from this visit, not a lab score.
Page loaded
First byte
DOM ready
First paint
Largest paint
DNS lookup
TLS handshake
Transferred
Saved by compression
Requests

A handful of response headers constitute your browser-side security policy: they upgrade connections, fence scripts, and forbid framing. Setting them per-application invites drift; the edge sets them once, uniformly, on every response including the error pages applications forget.

The non-negotiables

Strict-Transport-Security pins browsers to HTTPS for its max-age; deploy long-lived HSTS only after confirming every subdomain speaks TLS, because includeSubDomains is a promise your whole estate must keep, and preload-list submission makes it nearly irrevocable. X-Content-Type-Options: nosniff ends MIME-guessing attacks for one header’s price. Frame control (frame-ancestors in CSP, X-Frame-Options for legacy) is your clickjacking defense. These three are pure win; the edge should stamp them estate-wide today.

CSP, the policy with a blast radius

Content-Security-Policy fences where scripts, styles and connections may originate, which neuters whole exploit classes and, deployed carelessly, breaks your own site with equal efficiency. The adult deployment path: report-only mode first, collecting violations to an endpoint while enforcing nothing; iterate the policy against real traffic (third-party tags, our audit article’s registry, are most of the iteration); then enforce, keeping report-uri active as standing telemetry. Nonce-based script allowances beat host allowlists where your templating can inject them.

The reporting pipeline deserves elevation from afterthought to asset: CSP violation reports, and the broader Reporting-API family covering deprecations, crashes and network errors, constitute browser-side telemetry about your estate that no server log contains, third-party scripts misbehaving, extensions injecting content, regions where middleboxes tamper with pages. Estates that route these reports into real observability (sampled, aggregated, alarmed) repeatedly discover integrity issues weeks before users report symptoms. The browser fleet is the one vantage point you cannot buy from any vendor, and these headers are how it phones home; wiring the phone is the underrated half of the deployment.

Why the edge is the right stamping layer

Uniformity: one config covers every application, microservice and error page behind the hostname. Auditability: the policy lives in the config-as-code pipeline from our canary article, reviewed and versioned. And override discipline: edge rules can normalize contradictory origin headers (two apps disagreeing about frame policy is a finding, not a feature). The residual per-app case, CSP nonces needing template cooperation, argues for edge-and-app collaboration, not app-only ownership.

In practice

Scan your production hostnames with any headers-grading tool for the baseline; stamp the non-negotiables at the edge this week; start CSP in report-only with a violation endpoint and a quarterly iteration cadence; and add header presence to your synthetic checks so regressions page someone. Security headers are the rare control that is one config block, globally effective and empirically verifiable in seconds; estates missing them are declining free defense.

Header audits here take an hour and return the stamped-policy config plus the report-endpoint design. Free defense, collected.

Get the free assessmentMore analysis