Is TrustDebt a legal compliance guarantee?

No. TrustDebt provides automated risk detection and remediation guidance. It is not legal advice or a compliance certification.

Who is TrustDebt for?

TrustDebt is for founders, agencies, and AI builders checking launch trust issues before ads, Product Hunt launches, or client handoff.

🟡 WARNING

No CSP, no HSTS, no X-Frame-Options: your AI-built page is missing security headers.

AI builders and no-code platforms rarely configure security headers. The result: no Content Security Policy, no HSTS, no clickjacking protection, no MIME sniffing guard. A page without headers looks unfinished to anyone who checks. Here's how to add them in 15 minutes.

The problem

Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are missing or misconfigured on production.

Who is affected

AI-built pages deployed to Vercel, Netlify, Cloudflare Pages, or any platform where headers weren't explicitly configured.

Why it matters

Missing headers are a visible trust signal: browsers show warnings, security scanners flag it, and technical visitors (investors, enterprise clients) notice. CSP and HSTS are also SEO ranking signals.

How to fix: step by step

1
Check current headers
Run `curl -I yourdomain.com` or use the Network tab in DevTools. Look for: content-security-policy, strict-transport-security, x-frame-options, x-content-type-options, referrer-policy, permissions-policy.
2
Add headers in Next.js config
In next.config.ts, use the `headers()` function to set CSP, HSTS, and other headers. TrustDebt's scan includes a fix prompt with copy-paste config for your framework.
3
Start with a baseline CSP
Don't lock down too aggressively at first. Start with `default-src 'self'` and add allowed sources as needed. Use CSP report-only mode to test before enforcing.
4
Add HSTS for HTTPS enforcement
Set `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload` to enforce HTTPS for 2 years. Submit to the HSTS preload list for browsers.
5
Test and verify
Use securityheaders.com or Mozilla Observatory to verify your headers. Re-scan with TrustDebt to confirm all headers are present and correctly configured.

Scan your page in 45 seconds

TrustDebt's scan audits your security headers and generates a specific fix configuration for your framework — Next.js, plain HTML, or no-code platform.

Free scan

Related guides

trackers before consent

Common questions

Do security headers affect SEO?

Indirectly, yes. Google considers HTTPS and security posture as ranking signals. Missing headers also correlate with higher bounce rates from security-conscious visitors.

Will adding CSP break my site?

It can if set too aggressively. Start with report-only mode or a loose policy, check the reports, then lock down. TrustDebt's fix prompt includes a safe starting CSP.