HEADERS.

14 production URLs graded against OWASP secure-headers baseline. 8 missing Strict-Transport-Security max-age >= 1y. 4 ship Content-Type with no X-Content-Type-Options: nosniff.

The fastest security win nobody bothers to ship.

HG-009 · /api/v2 (Grade D) FAIL

No HSTS. No CSP. Referrer-Policy: unset.

Ship HSTS preload, baseline CSP, set Referrer-Policy.