‹
›
1 / 1
coaster set · co-sec-004 · 4-pack
Security Headers.
stops XSS before it ships.
launching spring 2026
$16.99
✓CSP — default-src, script-src, nonce, report-uri.
✓HSTS — max-age, includeSubDomains, preload.
✓CORS — Origin, Methods, Headers, Credentials.
✓Frames — DENY, SAMEORIGIN, CSP frame-ancestors.
3.75" × 3.75"
each coaster
Cork-backed
hardboard
Dye-sub
print
§ the full brief
stops XSS before it ships.
Four coasters. Four security headers every web developer should know cold.
The set
Coaster 1 — CSP (Content Security Policy) · lock it down. default-src, script-src, nonce, report-uri.
Coaster 2 — HSTS · HTTPS only. max-age, includeSubDomains, preload. "you cannot go back — choose carefully."
Coaster 3 — CORS · who can call? Origin, Methods, Headers, Credentials, OPTIONS preflight.
Coaster 4 — Frames · no iframes. DENY, SAMEORIGIN, CSP frame-ancestors. Prevent clickjacking.
Coaster 2 — HSTS · HTTPS only. max-age, includeSubDomains, preload. "you cannot go back — choose carefully."
Coaster 3 — CORS · who can call? Origin, Methods, Headers, Credentials, OPTIONS preflight.
Coaster 4 — Frames · no iframes. DENY, SAMEORIGIN, CSP frame-ancestors. Prevent clickjacking.
Your drink stays dry
Your app stays secure. Everybody wins.
The details
4 glossy hardboard coasters, 3.75" × 3.75". Cork-backed, heat resistant. Dye sublimation print.
Perfect for
Security-conscious developers, DevSecOps engineers, or anyone who's ever been woken up by a CSP violation.
Part of the quux coaster collection. quux.shop
