Where should Netlify security headers live?
Use public/_headers or [[headers]] in netlify.toml. Launch Auditor validates response headers on your live URL — the configuration location doesn't matter if browsers receive the right values.
netlify.toml headers, branch deploy vs production domain, and edge functions need the same clearance bar as Vercel — especially CSP, redirects, and SSL on custom domains.
Production deploys need baseline HTTP hardening before you share the URL.
Define Strict-Transport-Security and CSP in _headers or netlify.toml.
Audit check SEC-001 · security
Set X-Content-Type-Options and Referrer-Policy on all paths.
Audit check SEC-006 · security
Custom domain TLS valid — check Netlify DNS vs external registrar setup.
Audit check DNS-001 · dns ssl
Core Web Vitals and load behavior under real traffic — not just localhost.
Run Lighthouse on production domain after Netlify CDN cache warms.
Audit check PERF-001 · performance
FAQ
Use public/_headers or [[headers]] in netlify.toml. Launch Auditor validates response headers on your live URL — the configuration location doesn't matter if browsers receive the right values.
Free tier · No credit card · Create account
Pricing
Start free. Paid plans include a 7-day free trial — card required, cancel anytime.
First flight check
Serious founders shipping weekly
7-day free trial
Start Growth trialFunded teams with monitors & CI
7-day free trial
Start Professional trialAgencies & multi-client launches
7-day free trial
Start Agency trial