Security
Security at TechTailors is the architecture itself. From edge-level DDoS protection to true single-tenant isolation across every service, every layer of your site is hardened by default.
Part of our published engineering standards: Performance, Accessibility, Security, Best Practices, and SEO.
Content Security Policy
Every TechTailors site ships with a whitelist-based Content Security Policy — the strictest approach to controlling what resources a browser is allowed to load on your pages.If a hacker tries to slip a fake payment form or phishing iframe onto your site, the browser blocks it before anyone sees it. Even if a third-party script you use is later compromised, your visitors’ trust in your domain stays intact.If a hacker tries to slip a fake payment form or phishing iframe onto your site, the browser blocks it before anyone sees it. Even if a third-party script you use is later compromised, your visitors’ trust in your domain stays intact.
How our CSP works Show less
Our policy starts from default-src 'none', blocking
everything by default, then explicitly allows only the sources your site
actually needs: your own domain for scripts and styles, Cloudinary for
optimised images and media, and Cloudflare Insights for privacy-respecting
analytics. Nothing else gets through.
We also set frame-ancestors 'none' to prevent your site from
being embedded in iframes on other domains (a defence against
clickjackingAn attack where a malicious site overlays invisible elements to trick users into clicking something unintended),
and form-action 'self' to ensure form submissions only go to
your own domain — blocking form hijacking attacks before they start.
Security headers
Beyond CSP, we set HTTP security headers on every page — each one closing a specific class of attack.Every connection to your site is encrypted and verified before content loads. Contact forms, login credentials, and payment data travel safely. Browsers physically refuse to render your site over insecure HTTP — eliminating an entire class of attacks that exploit unencrypted traffic.Every connection to your site is encrypted and verified before content loads. Contact forms, login credentials, and payment data travel safely. Browsers physically refuse to render your site over insecure HTTP — eliminating an entire class of attacks that exploit unencrypted traffic.
The full list of headers we set Show less
Strict-Transport-Security with a one-year max-age,
subdomain inclusion, and preload eligibility ensures browsers will
only connect over HTTPS — even if someone types
http:// manually. This eliminates
man-in-the-middle attacksAttacks that intercept unencrypted HTTP traffic to inject malicious content or steal data
on the initial connection.
X-Content-Type-Options: nosniff prevents browsers from
guessing file types (MIME sniffing), which attackers exploit to execute
scripts disguised as other file types. X-Frame-Options: DENY
provides a second layer of clickjacking protection alongside our CSP
frame-ancestors directive. Cross-Origin-Opener-Policy: same-origin
isolates your site's browsing context, preventing cross-origin windows from
accessing it.
Referrer-Policy: strict-origin-when-cross-origin limits what
URL information is shared when users click outbound links — protecting
your page structure from leaking to third parties. And our
Permissions-Policy explicitly disables camera, microphone,
geolocation, and payment APIs — because a marketing website should never
ask for hardware access.
Cloudflare edge protection
Before a request even reaches your site, it passes through Cloudflare's global edge network — 300+ data centres providing universal protection regardless of your TechTailors tier.If a competitor tries to take you offline, or a botnet probes your site for vulnerabilities (which happens to every public site within hours of going live), Cloudflare’s edge absorbs the attack before it reaches your code. Your site stays up and fast when you’d otherwise be down or compromised.If a competitor tries to take you offline, or a botnet probes your site for vulnerabilities (which happens to every public site within hours of going live), Cloudflare’s edge absorbs the attack before it reaches your code. Your site stays up and fast when you’d otherwise be down or compromised.
What Cloudflare handles for you Show less
Every client gets enterprise-grade DDoS mitigation and Web Application Firewall protection at the platform level. Cloudflare absorbs volumetric attacks before they consume any of your resources, and its WAF rules filter out SQL injection, cross-site scripting, and other common attack vectors automatically.
Bot management runs pre-request filtering, blocking scrapers, credential stuffers, and automated abuse before your application code ever executes. Because your site is statically pre-rendered, there's no origin server to overwhelm — the edge serves cached HTML directly, making traditional DDoS against your infrastructure effectively impossible.
Single-tenant isolation & client-owned infrastructure
Most agencies resell space inside their own shared accounts: one Cloudflare account, one database, one analytics property, carved up across every client they have. We do the opposite. From day one, every service in your stack is its own dedicated, single-tenant account — your own Cloudflare project, your own database, your own CMS, your own search, your own store — with nothing shared with anyone else.This is the part almost no other agency can match. A breach, vulnerability, or outage in another company’s site physically cannot reach yours, because you were never in the same account, database, or environment to begin with. For regulated industries — healthcare, finance, government — single-tenant isolation is exactly what compliance auditors want to see, and it’s the default on every TechTailors build, not a premium upsell.This is the part almost no other agency can match. A breach, vulnerability, or outage in another company’s site physically cannot reach yours, because you were never in the same account, database, or environment to begin with. For regulated industries — healthcare, finance, government — single-tenant isolation is exactly what compliance auditors want to see, and it’s the default on every TechTailors build, not a premium upsell.
How single-tenant isolation works Show less
Take the database. Multi-tenant setups rely on a single application-level query filter (like RLSRow Level Security — database policies that filter query results by tenant ID) to keep tenants apart; if that filter has a bug, every tenant's data is exposed to every other tenant. We eliminate that risk entirely: your content lives in its own PostgreSQL instance on Supabase for blogging, and your store in its own SQLite database on Turso for e-commerce, each with its own credentials, its own backups, and its own network boundary.
The same principle runs through the whole stack. Your edge and hosting are your own Cloudflare account, your CMS is your own Strapi Cloud project, your search runs on a dedicated single-tenant Typesense cluster in your name, and your store is your own BigCommerce account. You can demonstrate data isolation at the infrastructure level, not just the application level, which is what auditors actually want to see.
And every one of those accounts is in your name from day one. We're added as administrators to run Workers, DNS, caching, and WAF rules on your behalf, never as the owner; billing, API tokens, and account ownership stay entirely yours, with full visibility into your infrastructure at any time. If you ever leave TechTailors, you revoke our access and keep everything: no migration, no export, no negotiation. The isolation is permanent because the accounts were never ours to begin with.
Intelligent caching
Our caching strategy is designed for both speed and security — ensuring users always see the latest content while maximising edge cache efficiency.Returning visitors get near-instant page loads from local cache, but always see your latest deploy. Change a price on the homepage at 9am and visitors at 9:01am see the new price — not yesterday’s cached version. Speed and freshness aren’t a tradeoff.Returning visitors get near-instant page loads from local cache, but always see your latest deploy. Change a price on the homepage at 9am and visitors at 9:01am see the new price — not yesterday’s cached version. Speed and freshness aren’t a tradeoff.
How our cache tiers work Show less
HTML pages use Cache-Control: public, no-cache — browsers
may cache the page but must revalidate with the server before displaying
it. This means returning visitors get fast 304 Not Modified
responses while always seeing the latest
deploy.
Hashed static assets (CSS, JS) get max-age=31536000, immutable
— one year, no revalidation — because the filename changes on every build.
Images and videos get a 30-day cache with the same immutable directive.
This three-tier strategy ensures zero stale content while eliminating
unnecessary round trips for assets that genuinely haven't changed.
Security without compromise
Every TechTailors client gets this security stack as a default standard — your visitors' safety isn't negotiable.
Talk to Us About Security