What security headers does Bolt.new set?

Bolt.new typically does not configure security headers in the generated application code. Headers like Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy are usually absent. These headers are essential for preventing cross-site scripting, clickjacking, MIME sniffing, and other browser-based attacks. The deployment platform may add some basic headers, but a comprehensive security header configuration must be added manually. UNPWNED checks for all recommended security headers and grades your application based on the Mozilla Observatory scoring standard.