Everything seemed fine until the site was tested on securityheaders.com and returned a D rating. No warnings. No visible issues. Just a silent vulnerability that went completely unnoticed.
What if this had been a client’s website?
Website security builds trust. And trust is the foundation of any digital product. From the first second, a visitor should feel safe. Security isn’t just a technical layer — it’s a core part of a professional brand.
By the way: another essential check is SSL Labs. If your site doesn't have a valid SSL certificate or it's misconfigured, the browser will warn users. Test your domain and make sure everything runs over HTTPS with strong encryption.
What was done
I added proper HTTP security headers in my Next.js project:
1Content-Security-Policy
2
3Permissions-Policy
4
5Strict-Transport-Security
6
7Referrer-Policy
8
9X-Content-Type-Options
10
11X-Frame-OptionsI set them up in middleware using NextResponse, crypto, and a generated nonce. This allowed me to implement a CSP without using 'unsafe-inline' and still keep Google Analytics functional.
What changed
I got an A+ rating on securityheaders.com and passed the CSP Evaluator. The browser now trusts my site, and so do I.
How you can do it too
- Test your site at securityheaders.com
- Run it through CSP Evaluator
- Make sure to check your SSL with SSL Labs.
- Add headers in your Next.js middleware
- Re-test and aim for A+
I build websites that aren’t just fast and beautiful. I build sites that are secure, accessible, SEO-optimized, and reliable. If your website represents your brand, it needs to earn trust from the very first request.