Security headers
Security headers harden the browser against common attacks: CSP against script injection, X-Content-Type-Options against type confusion, Referrer-Policy for controlled data exposure.
In practice
They cost a few configuration lines and return a reduced attack surface — plus a clean score on the scanners that clients and partners occasionally check. Deployment requires testing: an overly strict CSP silently breaks features. Our reference configurations apply them by default on every new site.