Security

Security at TechTailors is the architecture itself. From edge-level DDoS protection to true single-tenant isolation across every service, every layer of your site is hardened by default.

Part of our published engineering standards: Performance, Accessibility, Security, Best Practices, and SEO.

Content Security Policy

Every TechTailors site ships with a whitelist-based Content Security Policy — the strictest approach to controlling what resources a browser is allowed to load on your pages.If a hacker tries to slip a fake payment form or phishing iframe onto your site, the browser blocks it before anyone sees it. Even if a third-party script you use is later compromised, your visitors’ trust in your domain stays intact.If a hacker tries to slip a fake payment form or phishing iframe onto your site, the browser blocks it before anyone sees it. Even if a third-party script you use is later compromised, your visitors’ trust in your domain stays intact.

How our CSP works Show less

Our policy starts from default-src 'none', blocking everything by default, then explicitly allows only the sources your site actually needs: your own domain for scripts and styles, Cloudinary for optimised images and media, and Cloudflare Insights for privacy-respecting analytics. Nothing else gets through.

We also set frame-ancestors 'none' to prevent your site from being embedded in iframes on other domains (a defence against clickjackingAn attack where a malicious site overlays invisible elements to trick users into clicking something unintended), and form-action 'self' to ensure form submissions only go to your own domain — blocking form hijacking attacks before they start.

Security headers

Beyond CSP, we set HTTP security headers on every page — each one closing a specific class of attack.Every connection to your site is encrypted and verified before content loads. Contact forms, login credentials, and payment data travel safely. Browsers physically refuse to render your site over insecure HTTP — eliminating an entire class of attacks that exploit unencrypted traffic.Every connection to your site is encrypted and verified before content loads. Contact forms, login credentials, and payment data travel safely. Browsers physically refuse to render your site over insecure HTTP — eliminating an entire class of attacks that exploit unencrypted traffic.

The full list of headers we set Show less

Strict-Transport-Security with a one-year max-age, subdomain inclusion, and preload eligibility ensures browsers will only connect over HTTPS — even if someone types http:// manually. This eliminates man-in-the-middle attacksAttacks that intercept unencrypted HTTP traffic to inject malicious content or steal data on the initial connection.

X-Content-Type-Options: nosniff prevents browsers from guessing file types (MIME sniffing), which attackers exploit to execute scripts disguised as other file types. X-Frame-Options: DENY provides a second layer of clickjacking protection alongside our CSP frame-ancestors directive. Cross-Origin-Opener-Policy: same-origin isolates your site's browsing context, preventing cross-origin windows from accessing it.

Referrer-Policy: strict-origin-when-cross-origin limits what URL information is shared when users click outbound links — protecting your page structure from leaking to third parties. And our Permissions-Policy explicitly disables camera, microphone, geolocation, and payment APIs — because a marketing website should never ask for hardware access.

Cloudflare edge protection

Before a request even reaches your site, it passes through Cloudflare's global edge network — 300+ data centres providing universal protection regardless of your TechTailors tier.If a competitor tries to take you offline, or a botnet probes your site for vulnerabilities (which happens to every public site within hours of going live), Cloudflare’s edge absorbs the attack before it reaches your code. Your site stays up and fast when you’d otherwise be down or compromised.If a competitor tries to take you offline, or a botnet probes your site for vulnerabilities (which happens to every public site within hours of going live), Cloudflare’s edge absorbs the attack before it reaches your code. Your site stays up and fast when you’d otherwise be down or compromised.

What Cloudflare handles for you Show less

Every client gets enterprise-grade DDoS mitigation and Web Application Firewall protection at the platform level. Cloudflare absorbs volumetric attacks before they consume any of your resources, and its WAF rules filter out SQL injection, cross-site scripting, and other common attack vectors automatically.

Bot management runs pre-request filtering, blocking scrapers, credential stuffers, and automated abuse before your application code ever executes. Because your site is statically pre-rendered, there's no origin server to overwhelm — the edge serves cached HTML directly, making traditional DDoS against your infrastructure effectively impossible.

Single-tenant isolation & client-owned infrastructure

Most agencies resell space inside their own shared accounts: one Cloudflare account, one database, one analytics property, carved up across every client they have. We do the opposite. From day one, every service in your stack is its own dedicated, single-tenant account — your own Cloudflare project, your own database, your own CMS, your own search, your own store — with nothing shared with anyone else.This is the part almost no other agency can match. A breach, vulnerability, or outage in another company’s site physically cannot reach yours, because you were never in the same account, database, or environment to begin with. For regulated industries — healthcare, finance, government — single-tenant isolation is exactly what compliance auditors want to see, and it’s the default on every TechTailors build, not a premium upsell.This is the part almost no other agency can match. A breach, vulnerability, or outage in another company’s site physically cannot reach yours, because you were never in the same account, database, or environment to begin with. For regulated industries — healthcare, finance, government — single-tenant isolation is exactly what compliance auditors want to see, and it’s the default on every TechTailors build, not a premium upsell.

How single-tenant isolation works Show less

Take the database. Multi-tenant setups rely on a single application-level query filter (like RLSRow Level Security — database policies that filter query results by tenant ID) to keep tenants apart; if that filter has a bug, every tenant's data is exposed to every other tenant. We eliminate that risk entirely: your content lives in its own PostgreSQL instance on Supabase for blogging, and your store in its own SQLite database on Turso for e-commerce, each with its own credentials, its own backups, and its own network boundary.

The same principle runs through the whole stack. Your edge and hosting are your own Cloudflare account, your CMS is your own Strapi Cloud project, your search runs on a dedicated single-tenant Typesense cluster in your name, and your store is your own BigCommerce account. You can demonstrate data isolation at the infrastructure level, not just the application level, which is what auditors actually want to see.

And every one of those accounts is in your name from day one. We're added as administrators to run Workers, DNS, caching, and WAF rules on your behalf, never as the owner; billing, API tokens, and account ownership stay entirely yours, with full visibility into your infrastructure at any time. If you ever leave TechTailors, you revoke our access and keep everything: no migration, no export, no negotiation. The isolation is permanent because the accounts were never ours to begin with.

Intelligent caching

Our caching strategy is designed for both speed and security — ensuring users always see the latest content while maximising edge cache efficiency.Returning visitors get near-instant page loads from local cache, but always see your latest deploy. Change a price on the homepage at 9am and visitors at 9:01am see the new price — not yesterday’s cached version. Speed and freshness aren’t a tradeoff.Returning visitors get near-instant page loads from local cache, but always see your latest deploy. Change a price on the homepage at 9am and visitors at 9:01am see the new price — not yesterday’s cached version. Speed and freshness aren’t a tradeoff.

How our cache tiers work Show less

HTML pages use Cache-Control: public, no-cache — browsers may cache the page but must revalidate with the server before displaying it. This means returning visitors get fast 304 Not Modified responses while always seeing the latest deploy.

Hashed static assets (CSS, JS) get max-age=31536000, immutable — one year, no revalidation — because the filename changes on every build. Images and videos get a 30-day cache with the same immutable directive. This three-tier strategy ensures zero stale content while eliminating unnecessary round trips for assets that genuinely haven't changed.

Security without compromise

Every TechTailors client gets this security stack as a default standard — your visitors' safety isn't negotiable.

Talk to Us About Security