A handful of response headers constitute your browser-side security policy: they upgrade connections, fence scripts, and forbid framing. Setting them per-application invites drift; the edge sets them once, uniformly, on every response including the error pages applications forget.
The non-negotiables
Strict-Transport-Security pins browsers to HTTPS for its max-age; deploy long-lived HSTS only after confirming every subdomain speaks TLS, because includeSubDomains is a promise your whole estate must keep, and preload-list submission makes it nearly irrevocable. X-Content-Type-Options: nosniff ends MIME-guessing attacks for one header’s price. Frame control (frame-ancestors in CSP, X-Frame-Options for legacy) is your clickjacking defense. These three are pure win; the edge should stamp them estate-wide today.
CSP, the policy with a blast radius
Content-Security-Policy fences where scripts, styles and connections may originate, which neuters whole exploit classes and, deployed carelessly, breaks your own site with equal efficiency. The adult deployment path: report-only mode first, collecting violations to an endpoint while enforcing nothing; iterate the policy against real traffic (third-party tags, our audit article’s registry, are most of the iteration); then enforce, keeping report-uri active as standing telemetry. Nonce-based script allowances beat host allowlists where your templating can inject them.
The reporting pipeline deserves elevation from afterthought to asset: CSP violation reports, and the broader Reporting-API family covering deprecations, crashes and network errors, constitute browser-side telemetry about your estate that no server log contains, third-party scripts misbehaving, extensions injecting content, regions where middleboxes tamper with pages. Estates that route these reports into real observability (sampled, aggregated, alarmed) repeatedly discover integrity issues weeks before users report symptoms. The browser fleet is the one vantage point you cannot buy from any vendor, and these headers are how it phones home; wiring the phone is the underrated half of the deployment.
Why the edge is the right stamping layer
Uniformity: one config covers every application, microservice and error page behind the hostname. Auditability: the policy lives in the config-as-code pipeline from our canary article, reviewed and versioned. And override discipline: edge rules can normalize contradictory origin headers (two apps disagreeing about frame policy is a finding, not a feature). The residual per-app case, CSP nonces needing template cooperation, argues for edge-and-app collaboration, not app-only ownership.
In practice
Scan your production hostnames with any headers-grading tool for the baseline; stamp the non-negotiables at the edge this week; start CSP in report-only with a violation endpoint and a quarterly iteration cadence; and add header presence to your synthetic checks so regressions page someone. Security headers are the rare control that is one config block, globally effective and empirically verifiable in seconds; estates missing them are declining free defense.
Header audits here take an hour and return the stamped-policy config plus the report-endpoint design. Free defense, collected.
