Your public site is your first security reference
Before a prospective client ever asks for your certifications, they can run one command against your website and learn how seriously you take the basics. A marketing site is a small attack surface, but it is also the only system of yours the whole world can inspect — which makes it the cheapest credibility signal in security work, and the most commonly wasted one.
This article is the checklist we apply to our own platform. None of it is exotic. All of it is verifiable from the outside, which is precisely the point: a security claim you cannot check is marketing, not engineering.
Headers first: the cheap, verifiable layer
Response headers are the closest thing the web has to free security. Strict-Transport-Security with a long max-age, includeSubDomains and preload removes the HTTP downgrade path entirely. A Content-Security-Policy — even a pragmatic one — turns most injection attacks from incidents into log lines. X-Frame-Options: DENY ends clickjacking; X-Content-Type-Options: nosniff ends MIME confusion; Referrer-Policy: no-referrer means your visitors' journeys leak to no one.
The less-known pair is worth adopting too: Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy pinned to same-origin isolate your browsing context and resources from hostile pages. And a Permissions-Policy that denies camera, microphone, geolocation, payment, USB and their siblings costs one line and removes an entire class of abuse — a marketing site has no business touching any of that hardware.
Every header above is one entry in a config file. The whole layer takes an afternoon, survives redesigns, and is testable by anyone with curl.
Forms are the front door
The contact form is usually the only writable endpoint on a marketing site, and therefore the only one attackers care about. Two disciplines cover most of the risk. First, minimisation: the endpoint should accept exactly the fields the form shows, validated for shape and size, and nothing else — no hidden metadata, no echo of client state. Second, rate limiting: even a simple per-IP window turns automated abuse from a flood into a trickle.
The same minimisation logic applies to what you collect passively. Third-party trackers are not just a privacy question; every external script is a supply-chain grant of execution inside your origin. Cookieless, aggregate analytics answer the questions a studio actually has — did anyone read this? — without importing someone else's attack surface.
Verify from outside, always
A hardening pass is not finished when the config is written; it is finished when an outsider can confirm it. Three checks take under a minute: read the raw headers with curl -sI, grade the TLS configuration with SSL Labs, and score the header set with securityheaders.com. If those three disagree with what you believe you shipped, believe them.
Finally, publish a security.txt at /.well-known/security.txt with a real contact and an honest expiry date. It is nine lines, it is where researchers look first, and its absence tells them — accurately — that nobody thought about the question. Ours links to a disclosure policy that promises what we can keep: fast acknowledgement, no legal threats against good-faith research, credit if wanted.
Everything in this article is live on this site right now. The security page in the footer lists each measure alongside the command that proves it — which is exactly the standard we would ask of any vendor selling us security.
The checklist
Transport: HSTS (long max-age, includeSubDomains, preload). Injection: Content-Security-Policy on every response. Embedding: X-Frame-Options DENY. Sniffing: X-Content-Type-Options nosniff. Privacy: Referrer-Policy no-referrer, no third-party trackers, cookieless analytics. Isolation: COOP and CORP same-origin. Hardware: Permissions-Policy denying everything unused. Forms: strict validation plus rate limiting. Disclosure: security.txt plus a written policy.
None of these items is impressive alone. Together they are the difference between a site that claims security and one that demonstrates it — and they take less time than the average homepage animation.