Disclosure

Transparency about links and funding, per FTC guidance.

This site is free. Some outbound links — for example to hosting, CDN, or security-scanning providers — may be affiliate links: if you sign up through them we may earn a commission at no extra cost to you. We only link to tools we'd actually use, and a commission never changes what we recommend.

The servers and specs these recipes cover (Nginx, Apache, Caddy, the CSP/Fetch standards) are free and open, so most references here are just that — plain references, not paid placements.

No warranty. These recipes are provided as-is. A wrong Content-Security-Policy or Strict-Transport-Security value can break a site or lock browsers onto HTTPS for a long time — roll out CSP in report-only mode first, and test on staging before production. You are responsible for what you deploy.