# Hosting security headers Laurel emits plain static files. The host serves them. That means **the hosting platform is responsible for HTTP response headers** — Laurel itself cannot send a `Content-Security-Policy` or `Strict-Transport-Security` header at request time, because there is no Laurel process at request time. This page collects copy-pasteable header snippets for the hosted platforms the [deploy tutorial](../tutorials/04-deploy.md) covers (Cloudflare Pages, Vercel, Netlify, Firebase Hosting, GitHub Pages), plus the matching `laurel.toml` settings for self-hosted nginx. Pick the one that matches your host and add it to the place that host actually reads. > If you skip this step, your site ships with the defaults the host gives you. > On most free tiers that means **no CSP, no HSTS, no Referrer-Policy** — fine > for a personal site, risky for one that accepts contributions to `content/`, > uses `build.allow_code_injection`, or serves a custom domain. For the build-time side — which frontmatter and config fields ship code to visitors, and what to look for when reviewing a contributor's PR — see [`threat-model.md`](./threat-model.md). The two pages complement each other: `threat-model.md` covers what Laurel emits, `hosting.md` covers what the host wraps around that output. ## What Laurel actually emits The CSP below is calibrated for what Laurel puts on the page: - **Inline `