Is Netlify secure by default?

Netlify provides a solid foundation with automatic HTTPS via Let's Encrypt and DDoS protection, but many security features require manual configuration. Security headers like Content-Security-Policy are not added by default, environment variables can be exposed if build logs are public, and serverless functions lack built-in authentication or rate limiting. Netlify deploy previews can also expose staging content to anyone with the URL. The platform handles infrastructure security well but application-level security is entirely the developer's responsibility. UNPWNED checks your Netlify deployment for missing security headers, exposed configurations, and function security.