Security
- Modern HTTP security headers HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. The six headers every modern site should ship.
- HSTS Preload Hardcodes 'always HTTPS' for your domain into every major browser. The strongest possible HSTS posture.
- TLS 1.2+ baseline Disable TLS 1.0 and 1.1. They've been deprecated since 2020. PCI-DSS requires it; everyone else should too.
- DNSSEC Cryptographically signs your DNS records so resolvers can detect tampering. Underused — but increasingly expected for finance, gov, and email.
- CAA records Tells the world which certificate authorities are allowed to issue certificates for your domain. Stops rogue CA issuance dead.
- Valid SSL certificate Certificate is current, not expiring soon, and chains to a trusted root. Failing this is a hard browser block.
- Forward secrecy Even if your server's private key leaks tomorrow, past traffic stays unreadable. Mandatory in TLS 1.3 — make sure your stack negotiates it.
- Content Security Policy Level 3 The deployable CSP today. script-src, object-src, and base-uri are the three controls that actually stop XSS — the rest is optional.
- Subresource Integrity Cryptographic hash on every CDN-loaded <script> and <link>. If the file changes, the browser refuses to load it. Cheap defence against supply-chain compromise.
- Cross-Origin isolation (COOP / COEP / CORP) Three response headers that together unlock SharedArrayBuffer and high-resolution timers — and incidentally close a class of cross-origin side-channel leaks.
- Permissions-Policy Locks down browser features — camera, mic, geolocation, payment, FLoC — so a compromised script can't quietly turn them on. Replaces the older Feature-Policy header.
- Referrer-Policy Controls what URL data leaks to other sites in the Referer header. Modern browsers default to strict-origin-when-cross-origin — match that as a baseline.
- X-Frame-Options + frame-ancestors Stops other sites from embedding yours in an iframe — the prerequisite for clickjacking. CSP frame-ancestors is the modern equivalent; ship both for safety.
- X-Content-Type-Options: nosniff Tells the browser to trust your declared Content-Type instead of guessing. Stops 'I uploaded a JPG that was actually JavaScript' attacks dead.
- HTTP Strict Transport Security One header tells every future visitor 'always HTTPS, never HTTP, no exceptions'. Should ship everywhere; preload only after you're sure.
- security.txt A plain-text file at /.well-known/security.txt that tells researchers where to send vulnerability reports. Costs nothing; saves an inbound bug from getting routed to /dev/null.
- PCI DSS v4.0 If you store, process, or transmit card data — directly or through an iframe — PCI DSS applies. v4.0 is mandatory; v3.2.1 retired in March 2024.
- SOC 2 (Type I & Type II) An auditor's report — not a checklist — covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. Type II is the one enterprise buyers actually care about.
- ISO/IEC 27001:2022 International gold standard for an Information Security Management System. The 2022 revision restructures the Annex A controls to align with ISO 27002:2022.
- NIST Cybersecurity Framework 2.0 Voluntary, US-government-blessed taxonomy for cybersecurity programs. The 2.0 revision (Feb 2024) added a 'Govern' function alongside the original Identify / Protect / Detect / Respond / Recover.
- OWASP Top 10 (2025) Industry consensus on the ten most critical web application security risks. The 2025 edition is current; 2021 is superseded but still widely referenced.
- DANE for SMTP DNSSEC-anchored TLSA records that pin the certificate your mail server presents. The other (older, stricter) path to authenticated mail-in-transit alongside MTA-STS.
- TLS 1.3 The modern target, not the minimum. One round-trip handshake, mandatory forward secrecy, every weak cipher removed. If your stack supports it, prefer it.
- OCSP Stapling Server attaches a fresh signed revocation status during the TLS handshake — so clients don't have to call out to the CA. Faster handshakes, better privacy.
- Certificate Transparency Every publicly-trusted certificate must appear in append-only public logs. Chrome, Safari, and Edge enforce it — non-CT certs throw a hard browser error.