How to secure a Netlify site?

Add a _headers file or netlify.toml with comprehensive security headers including Content-Security-Policy, Strict-Transport-Security, and X-Content-Type-Options. Scope environment variables to specific deploy contexts so production secrets are not exposed in preview deploys. Enable Netlify identity or add authentication to serverless functions that handle sensitive operations. Configure redirect rules to prevent open redirects. Disable public build logs if they might contain sensitive output. Add rate limiting through Netlify Edge Functions or a CDN like Cloudflare. UNPWNED provides a full security audit of your Netlify deployment with specific fix instructions.