Security headers & hardening
CSRF, CSP, HTTPS, rate limiting, lockout.
Layer security_headers (HSTS, X-Frame-Options, nosniff, Referrer-Policy, CSP), csp_nonce (per-request CSP nonce), ssl_redirect, and host_validation (ALLOWED_HOSTS parity). rate_limit (token bucket) + account_lockout (cache-backed failure counter) defend auth endpoints.
Defense in depth
Combine HTTPS redirect + HSTS + security headers + rate limiting + lockout — no single layer is sufficient.