Security headers checklist

Configured globally

• Strict-Transport-Security is set for HTTPS enforcement without preload by default.
• X-Content-Type-Options is set to nosniff.
• Referrer-Policy is set to strict-origin-when-cross-origin.
• X-Frame-Options is set to DENY for clickjacking protection.
• Permissions-Policy disables high-risk device features that SimpleToolset does not need globally.

Configured only on tools that need isolation

Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy stay scoped to heavy browser tools that need cross-origin isolation or SharedArrayBuffer-style execution. They are not forced globally because some third-party resources and ordinary pages do not need that stricter mode.

Staged, not globally enforced yet

• Content-Security-Policy will be rolled out in report-only mode first because PDF, AI, WebAssembly, ads, and worker tools have different loading needs.
• HSTS preload is not enabled by default; preload is a domain-level commitment and should be submitted only after all subdomains are confirmed HTTPS-only.
• CSP reporting endpoint is not enabled until reports can be collected without page content, form values, or uploaded filenames.

Verification checklist

• Confirm headers on /en/, a category page, a lightweight tool, an AI Local tool, and a cross-origin-isolated tool.
• Check that service worker, manifest, sitemap, robots.txt, llms.txt, and JSON discovery assets keep expected cache headers.
• Run a header scanner and compare findings against this page after every hosting or CDN change.