Ecotone Brand Portfolio

Generative Engine Optimization
for the AI-First Era

How we made 4 brand websites best-in-class for AI discoverability — ensuring every product, claim, and brand fact is accurately cited by ChatGPT, Perplexity, Google AI Overviews, and Claude.

Sites

43/43

Audit Score

36+

Discovery Files

161

Products with PLM Nutrition

115

FAQ Pairs

60+

AI Crawlers Managed

The Shift

What is GEO?

AI search is replacing traditional search. ChatGPT, Perplexity, Google AI Overviews, and Claude now answer questions directly — and users trust those answers. Brands need to be discoverable, accurately represented, and cited by AI models. This is Generative Engine Optimization.

Traditional SEO

Optimise for Google's blue links
Keywords and backlinks
Meta tags and titles
Hope search engines index you
No control over AI interpretation

→

Generative Engine Optimization

Optimise for AI model understanding
Structured data and discovery files
Machine-readable identity and facts
Explicitly guide AI crawlers and permissions
Full control over brand representation in AI

The Portfolio

4 Brand Websites, Fully Optimised

Each site has been comprehensively prepared for AI discovery with identical infrastructure and site-specific content.

Ecotone Corporate

"Food for Biodiversity"

16 Brands

EN/FR Multilingual

llms.txt EN full FR full ai.txt faq-ai.txt identity.json robots.txt

Visit site

Kallo

"Natural, organic foods & seasonings"

67 Products

29 FAQs

llms.txt llms-full.txt ai.txt faq-ai.txt brand.txt identity.json robots.txt

Visit site

Clipper Teas

"UK's original Fairtrade tea company"

69 Products

29 FAQs

llms.txt llms-full.txt ai.txt faq-ai.txt brand.txt identity.json robots.txt

Visit site

Mrs Crimble's

"Gloriously gluten free since 1979"

25 Products

30 FAQs

llms.txt llms-full.txt ai.txt faq-ai.txt brand.txt identity.json robots.txt

Visit site

AI Discovery

Multilingual Discovery Files

Every brand site publishes discovery files in its local language plus English — ensuring visibility in both native-language AI search and ChatGPT/Claude's English retrieval pipeline.

File	Purpose	Kallo	Clipper	Crimble's	Ecotone
llms.txt	AI-optimised site summary	View	View	View	View
llms-full.txt	5,000+ word comprehensive brand reference	View	View	View	View
ai.txt	AI permissions & restrictions (v1.1.1)	View	View	View	View
brand.txt	Canonical naming & terminology guide	View	View	View	View
faq-ai.txt	25–30 Q&A pairs for AI retrieval	View	View	View	View
identity.json	Machine-readable organisational identity	View	View	View	View
robots.txt	60+ AI crawler management rules	View	View	View	View
sitemap.xml	All pages + discovery files	View	View	View	View

Schema.org

12+ JSON-LD Schema Types

Every page emits rich structured data that AI models and search engines use to understand content, relationships, and context.

Organization

WebSite

WebPage

FAQPage

Product

NutritionInformation

Recipe

CollectionPage

ContactPage

BreadcrumbList

SpeakableSpecification

SearchAction

See it yourself: View any page source on these sites and search for application/ld+json to inspect the structured data.

Data Integrity

Real PLM Nutrition Data

We connected directly to Ecotone's beCPG Product Lifecycle Management system and extracted verified nutrition data for 161 products.

beCPG PLM

Ecotone's product data system

→

Extract & Clean

API extraction, normalisation

→

Security Filter

Strip internal ERP codes

→

JSON-LD Output

NutritionInformation schema

Access Control

Open Crawler Strategy

We allow all AI crawlers — both search and training. Our discovery files are designed to be consumed by AI models.

Search & Retrieval Bots

Fetch content in real time to answer user queries.

OAI-SearchBot (ChatGPT search)
ChatGPT-User (live browsing)
Claude-SearchBot (Claude search)
PerplexityBot
bingbot / Bingbot
Amazonbot
Googlebot

Training Crawlers

Index content for model training — building permanent brand knowledge.

GPTBot (OpenAI training)
ClaudeBot (Anthropic training)
CCBot (Common Crawl)
Google-Extended
Bytespider / ByteDance
Meta-ExternalAgent
cohere-ai / Diffbot

Strategy: "Maximum AI visibility — allow all crawlers so our brand is known at both the training and search layers"

Quality Assurance

Audit Results

Every site passes all 43 checks in our comprehensive GEO audit.

43/43

Perfect score across all sites

llms.txt present

llms-full.txt present

ai.txt v1.1.1

brand.txt present

faq-ai.txt present

identity.json present

robots.txt configured

sitemap.xml valid

Organization schema

Product schema

NutritionInformation

FAQPage schema

BreadcrumbList

SpeakableSpecification

parentOrganization

sameAs linking

Bot pre-rendering

Canonical URLs

Open Graph tags

Twitter Cards

Competitive Edge

What Makes This Best-in-Class

Multilingual Discovery Files

9 machine-readable files per site, covering every major AI discovery protocol.

Deep Research, Every Claim Sourced

Every fact is verifiable and attributable — AI models can cite with confidence.

Real PLM Nutrition Data

161 products with nutrition data pulled directly from Ecotone's beCPG system.

Cross-Site Entity Graph

Bidirectional schema linking between parent company and brand sites.

Bot Pre-Rendering

All sites serve pre-rendered HTML to JS-disabled AI crawlers.

Strategic Crawler Management

60+ crawlers categorised with a deliberate allow/block strategy.

Multilingual GEO

Native French content for the French market — not machine translations.

Voice Search Ready

SpeakableSpecification schema enables voice assistants to read brand info.

Comprehensive Reference

Search Engine Optimization
The Complete Playbook

Every technique, principle, and best practice for maximising organic search visibility — from technical foundations to AI-era answer engine optimization.

What is SEO in 2026?

SEO has evolved from keyword stuffing and link farms to a sophisticated discipline covering technical performance, content quality, user experience, and AI answer engine visibility. Here's the difference between doing it well and doing it badly.

Neglected SEO

No sitemap or robots.txt
Slow page loads, poor Core Web Vitals
Missing meta descriptions and alt text
No structured data or schema
Duplicate content and broken links
No mobile optimisation

→

Best-Practice SEO

XML sitemaps, robots.txt, canonical URLs
Sub-2.5s LCP, under 200ms INP, CLS < 0.1
Unique titles, descriptions, and image alt text
12+ schema types with JSON-LD
Clean URL structure, internal linking strategy
Mobile-first, accessible, HTTPS everywhere

Category 1

Technical SEO

The invisible foundation. If search engines can't crawl, render, and index your site efficiently, nothing else matters.

Critical

Crawlability & Indexing

Ensure search engines can discover and index every important page.

XML sitemap with <lastmod> dates, submitted to Search Console
robots.txt allowing important paths, blocking admin/staging
Canonical URLs on every page to prevent duplicate content
301 redirects for moved pages (never chains >3 hops)
Pagination with rel="next"/rel="prev" or infinite scroll handled
IndexNow for instant indexing on Bing & Yandex
Monitor crawl budget via server log analysis

Critical

Site Speed & Performance

Page speed is a confirmed ranking factor. Every millisecond counts.

Compress images (WebP/AVIF), serve responsive sizes
Enable Brotli/Gzip compression for text resources
Minify CSS, JS; eliminate render-blocking resources
Use a CDN for global delivery
Implement HTTP/2 or HTTP/3
Preload critical assets (fonts, LCP image)
Lazy-load below-fold images and videos
Inline critical CSS, defer non-critical stylesheets

Critical

HTTPS & Security

HTTPS is a confirmed ranking factor since 2014. No exceptions.

SSL/TLS certificate on all pages (auto-renewing via Let's Encrypt)
Force HTTPS redirects (301 from HTTP)
HSTS header with includeSubDomains and preload
Update all internal links to HTTPS
Ensure mixed content warnings are resolved

Important

URL Structure

Clean, descriptive URLs that both users and search engines understand.

Short, keyword-rich slugs (under 75 characters)
Lowercase only, hyphens not underscores
No query parameters for primary content
Subfolders over subdomains for SEO content
Consistent trailing slash policy
Remove stop words from URLs

Category 2

On-Page SEO

The content and HTML elements on each page that tell search engines what the page is about and why it should rank.

Title Tags & Meta Descriptions

Unique title per page, 50–60 characters, primary keyword near front
Compelling meta description, 150–160 characters, with call to action
Brand name in title (end position for non-homepage)
Avoid duplicate titles across pages
Power words and numbers increase CTR

Heading Hierarchy

Single H1 per page containing the primary keyword
Logical H2→H3→H4 hierarchy (never skip levels)
Use headings to outline content structure
Include secondary keywords in H2/H3 headings
Headings should be descriptive, not generic

Content Optimization

Answer the primary query in the first 100 words
Natural keyword placement (1–2% density, no stuffing)
Use semantic variations and related terms (LSI keywords)
Comprehensive content that fully covers the topic
Break up text with lists, tables, images, and subheadings
Update content regularly — freshness is a ranking signal

Image & Media Optimization

Descriptive alt text on every image (screen readers + SEO)
Descriptive file names (organic-rice-cakes.webp, not IMG_4521.jpg)
Compress and serve in modern formats (WebP, AVIF)
Specify width/height to prevent CLS
Use <picture> element for responsive images
Add captions where contextually relevant

Internal Linking

2–5 contextual internal links per 1,000 words
Descriptive anchor text (not "click here")
Link from high-authority pages to important pages
Hub-and-spoke content clusters around pillar pages
Keep all pages within 3 clicks of the homepage
Total links per page under 150 for link equity

Open Graph & Social Meta

og:title, og:description, og:image, og:url on every page
Twitter Card meta tags for X/Twitter
Compelling social sharing images (1200×630px)
Test with Facebook Debugger and Twitter Card Validator

Category 3

Structured Data & Schema Markup

Pages with schema markup receive 42% more AI citations and dramatically higher click-through rates via rich snippets.

Schema Type	Use Case	Rich Result
Organization	Brand identity, logo, social profiles, contact	Knowledge Panel
Product	Products with price, availability, reviews	Product rich snippets
FAQPage	Question-and-answer pairs	Expandable FAQ in SERP
HowTo	Step-by-step instructions	Step display in SERP
Recipe	Recipes with ingredients, times, nutrition	Recipe card in SERP
Article / BlogPosting	Articles with author, date, publisher	Article rich result
BreadcrumbList	Navigation breadcrumbs	Breadcrumb trail in SERP
LocalBusiness	Physical locations with hours, address	Local pack results
Review / AggregateRating	Customer reviews and star ratings	Star ratings in SERP
Event	Events with dates, locations, ticketing	Event rich result
VideoObject	Video content with duration, thumbnail	Video thumbnails in SERP
SpeakableSpecification	Voice-search-ready content sections	Voice assistant answers

Implementation: Always use JSON-LD format (Google's preference). Test with Google's Rich Results Test. Monitor in Search Console's Enhancements reports.

Category 4

Core Web Vitals & Page Experience

Three metrics that Google uses as ranking factors. Only 47% of websites pass all three in 2026.

<2.5s

Largest Contentful Paint (LCP)

Time for largest visible element to render

<200ms

Interaction to Next Paint (INP)

Responsiveness to user interactions

<0.1

Cumulative Layout Shift (CLS)

Visual stability during page load

LCP Optimization

Preload hero images, inline critical CSS, use a CDN, compress images to WebP/AVIF, eliminate render-blocking JS. Never lazy-load the LCP element. For every second beyond 2.5s, bounce rates increase 32%.

INP Optimization

Break long JavaScript tasks into smaller chunks, use scheduler.yield(), defer non-critical JS, minimise DOM size. Replaced FID in March 2024 as the official responsiveness metric.

CLS Optimization

Always set width/height on images and videos, reserve space for ads, preload fonts with font-display: swap, use CSS transform for animations instead of layout-triggering properties.

Page Experience Signals

HTTPS, no intrusive interstitials, Safe Browsing compliance, mobile-friendly design. Cookie consent and age verification interstitials are exempt from penalties.

Category 5

E-E-A-T & Content Strategy

Experience, Expertise, Authoritativeness, and Trustworthiness — Google's quality framework that underpins every ranking decision.

Experience

Demonstrate first-hand experience with the topic.

Include author bios with credentials and experience
Share original case studies, data, and research
Use first-person accounts where appropriate
Include original photos, screenshots, and evidence

Expertise

Content must be created by people with genuine knowledge.

Author pages with qualifications and track record
Expert quotes boost AI visibility by ~41%
Cite authoritative sources with specific data
Peer review for YMYL (Your Money, Your Life) content

Topical Authority

Become the definitive source on your subject area.

Build content clusters: pillar pages + supporting articles
Cover topics comprehensively — breadth and depth
Internal link from supporting articles to pillars and back
Publish consistently on your core topics
Earn mentions and links from industry publications

Content Freshness

AI engines weigh recency when selecting sources to cite.

Update cornerstone content quarterly with new data
Add dateModified to schema markup
Content updated within 30 days gets 67% more AI citations
Archive or redirect truly outdated content
Show last-updated dates visibly on pages

Categories 6–8

Off-Page, Local & International SEO

What happens beyond your site matters as much as what's on it — links, citations, local presence, and global reach.

LINKS

Link Building

Quality backlinks remain the strongest ranking signal. Earn them through original research, digital PR, expert contributions, and shareable data assets. One link from a DR 70+ site beats 100 links from directories.

Domain Authority

Build authority through diverse referring domains, branded mentions, consistent publishing, and cross-platform presence (LinkedIn, Wikipedia, Crunchbase). Monitor with Ahrefs DR or Moz DA.

LOCAL

Google Business Profile

Claim and optimise your GBP listing. NAP (Name, Address, Phone) must be consistent everywhere. Respond to reviews. Add photos weekly. Use LocalBusiness schema. 46% of Google searches have local intent.

LOCAL

Local Citations

List your business consistently on Yelp, Apple Maps, Bing Places, and industry-specific directories. Inconsistent NAP data confuses search engines and hurts local rankings.

i18n

Hreflang Tags

For multilingual sites, implement hreflang annotations so Google serves the right language to the right user. Use x-default for fallback. Validate with hreflang testing tools.

i18n

Country Targeting

Use ccTLDs or subdirectories (/fr/, /de/) for geo-targeting. Set geographic targeting in Search Console. Use Content-Language headers and lang attributes.

SOCIAL

Brand Signals

Branded search volume, social media presence, and mentions on Reddit, Quora, and forums all contribute to entity recognition. LLMs reference diverse sources — be everywhere.

REVIEWS

Review Strategy

Actively solicit and respond to reviews on Google, Trustpilot, and industry platforms. Use Review and AggregateRating schema. Reviews with 4.0+ stars boost CTR significantly.

Categories 9–11

Mobile, Voice & JavaScript SEO

Over 60% of searches are on mobile. 8.4 billion voice assistants are in use. And JavaScript can make or break your indexing.

Critical

Mobile-First Indexing

Google indexes the mobile version of your site first
Responsive design (single URL, adapts to all screens)
Minimum 16px font size, 48px tap targets
No horizontal scrolling on mobile
Test with Google's Mobile-Friendly Test
Mobile page speed: under 5 seconds or lose 90% of users

Growing

Voice Search Optimization

Target conversational, long-tail question keywords
Provide direct answers in the first 40–60 words
Win featured snippets (voice assistants read them 40.7% of the time)
Voice results load 52% faster than average pages
FAQPage schema is essential for voice answers
Local SEO matters — many voice searches are local

Critical

JavaScript Rendering

Server-Side Rendering (SSR) for all indexable content
Static Site Generation (SSG) for maximum speed
Avoid pure client-side rendering for SEO content
Dynamic rendering deprecated by Google (2024–2025)
Use standard <a href> tags, not JS-only navigation
Frameworks: Next.js, Nuxt, SvelteKit, Astro

New for 2026

Accessibility as a Ranking Factor

Google's Sept 2025 update made accessibility an official signal
Sites meeting WCAG standards saw 37% more organic traffic
Alt text, heading hierarchy, colour contrast (4.5:1 minimum)
Keyboard navigability and screen reader compatibility
ARIA labels, form labels, clear error messages
Aim for WCAG 2.1 AA compliance at minimum

Category 12

AI & Answer Engine Optimization

AI Overviews now trigger for ~18.5% of commercial queries. Being cited in AI answers is the new "ranking first."

41%

Visibility boost from including expert quotes in content

Semrush research

30%

Boost from including statistics with cited sources

Semrush research

42%

More AI citations for pages with schema markup

Semrush research

Direct Answer Formatting

Answer the primary question completely in the first sentence. Keep answer paragraphs to 40–60 words. Use clear, definitive language. Structure every section as a standalone, independently citable chunk.

Entity Optimization

Establish your brand as a recognized entity in knowledge graphs. Use Organization and Person schema. Maintain consistent information across Wikipedia, Wikidata, LinkedIn, and Crunchbase.

Citation-Worthy Content

LLMs seek third-party validation. Include specific statistics with sources, expert quotes with attributions, original data and research, and clear authorship credentials.

Multi-Platform Presence

LLMs train on diverse sources. Maintain profiles on LinkedIn, industry publications, Reddit, and forums. Consistent entity information strengthens AI citation likelihood across all platforms.

Living Reference · Last updated June 2026

Latest LLM-Readiness Research

A continually updated reality-check on what actually moves AI visibility — so effort goes where the evidence is, not where the hype is.

~10%

Of domains have adopted llms.txt after 18 months — and AI search crawlers overwhelmingly skip it, fetching HTML directly

SE Ranking, 300k-domain study (Nov 2025)

20–30%

More often pages with FAQ, HowTo & QAPage schema appear in AI-generated answers

AI-summary appearance analysis (2026)

Retroactive effect of blocking a training bot — content already ingested stays in the model. Openness compounds over time

Crawler-behaviour observations (2026)

Discovery files are a B2A play, not an SEO lever

Treat llms.txt and friends as a machine-readable surface for AI agents (Perplexity retrieves it; Claude shows a small citation bump; IDE agents and MCP tools consume it). Google confirmed in 2025 it does not support llms.txt. Keep the files — they're cheap — but don't expect search-ranking impact from them.

Structured data is the highest-leverage win

Valid JSON-LD — especially FAQ, HowTo, QAPage, Product and NutritionInformation — is the single most reliable lever on AI citation frequency. Validate it, keep it in the pre-rendered HTML, and make sure it matches the visible content.

Freshness is a ranking signal for AI

Generative engines weight recency. Keep dateModified accurate, surface a visible “last updated” date, and refresh cornerstone content quarterly — an up-to-date page out-cites an identical stale one.

Open the doors to every AI crawler

For public brand sites the default is allow-everything — search, retrieval and training. Being in training data means models learn the brand permanently; being open to retrieval bots is what earns live citations. The biggest own-goal is blocking AI crawlers in robots.txt.

SEO remains the foundation of GEO

There is no shortcut around clean architecture, fast pages, accurate schema and authoritative, well-sourced content. The same signals that rank in search are the ones that get a brand cited in AI answers.

Categories 13–14

Analytics, Monitoring & Advanced Techniques

You can't improve what you don't measure. Track everything, iterate constantly.

Google Search Console

Performance reports: queries, pages, CTR, position
Pages report for indexing issues
Core Web Vitals monitoring
Manual Actions and Security Issues
URL Inspection tool for individual page status
Structured data enhancements reports

Google Analytics 4

Organic traffic segmentation by landing page and query
Engagement rate, time on page, pages per session
Conversion tracking from organic traffic
Link with Search Console for integrated data
Set up automated alerts for traffic drops

Key Metrics to Track

Organic traffic volume and trends (YoY, MoM)
Keyword rankings and SERP feature presence
Click-through rate by position
Backlink profile health and referring domains
Crawl errors and index coverage
Core Web Vitals (real user monitoring)

Advanced Techniques

Server log analysis for actual crawl behaviour
Edge SEO via CDN workers (Cloudflare Workers)
Programmatic SEO for data-driven page generation
AI citation tracking across ChatGPT, Perplexity, Gemini
Knowledge Panel optimization
Negative SEO protection and toxic link disavowal

Quick Reference

SEO Implementation Checklist

The essential items every website should have in place.

XML sitemap submitted

robots.txt configured

Canonical URLs set

HTTPS everywhere

HSTS enabled

Unique title tags

Meta descriptions

Single H1 per page

Image alt text

WebP/AVIF images

LCP under 2.5s

INP under 200ms

CLS under 0.1

Mobile responsive

Organization schema

BreadcrumbList schema

Open Graph tags

Internal linking strategy

Content clusters

Search Console linked

GA4 tracking

Accessibility (WCAG 2.1)

No broken links

301 redirects clean

Production-Hardened

Website Security
Our Standard Operating Procedure

Every website we build follows a battle-tested security framework — from HTTP headers to API endpoint protection, environment encryption, and real-time threat detection.

12+

Security Headers

Encrypted

Env Variables

Multi-Layer

Probe Detection

OWASP

Top 10 Covered

Hardened

Authentication

The Standard

Why Security Is Non-Negotiable

A hacked website gets deindexed by Google, loses customer trust overnight, and can expose personal data. We build security into every layer from day one — not bolted on as an afterthought.

Typical Website

Default server headers, no CSP
Plaintext environment variables
No rate limiting or probe detection
Cookies without httpOnly or secure flags
No User-Agent validation
Passwords stored as MD5 or plain text

→

Our Standard

Helmet.js with full CSP, HSTS, X-Frame-Options
Encrypted .env files with authenticated encryption
API security middleware with IP blocking
httpOnly, secure, sameSite cookies in production
Suspicious User-Agent blocking
Memory-hard password hashing with timing-safe comparison

Layer 1

HTTP Security Headers

Every response from our servers includes a comprehensive set of security headers via Helmet.js — the first line of defence against XSS, clickjacking, and MIME-sniffing attacks.

Header	Value	Protects Against
Content-Security-Policy	default-src 'self'; script-src 'self' analytics; style-src 'self' 'unsafe-inline' fonts; img-src 'self' data https; frame-ancestors 'none'; object-src 'none'	XSS, code injection, clickjacking
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload	Protocol downgrade, cookie hijacking
X-Frame-Options	DENY	Clickjacking attacks
X-Content-Type-Options	nosniff	MIME-type sniffing
Referrer-Policy	strict-origin-when-cross-origin	Information leakage via referrer
Permissions-Policy	camera=(), microphone=(), geolocation=(), payment=()	Unauthorized hardware/API access
Cache-Control (API)	no-store, no-cache, must-revalidate	Sensitive data caching
X-DNS-Prefetch-Control	Controlled per environment	DNS prefetch information leakage

Layer 2

Environment Variable Encryption

API keys, database credentials, and third-party secrets are never stored in plaintext. We encrypt all .env files using industry-standard authenticated encryption with strong key derivation.

Encryption Standard

Authenticated encryption (encrypt-then-MAC)
Strong key derivation with high iteration count
Unique salt per encryption operation
Authentication tag prevents tampering
Decryption key required at runtime, never stored on disk
Plaintext secrets never touch the filesystem

Encrypted File Format

Environment files are encrypted at rest using authenticated encryption. Each file includes a unique salt, initialisation vector, and authentication tag. The encrypted payload is decrypted in memory at application startup — plaintext credentials never exist on disk.

This approach ensures that even if a server is compromised, environment secrets cannot be read without the separate decryption key.

Layer 3

API Endpoint Protection

Our API security middleware detects and blocks reconnaissance probes, hacker tools, and malicious requests before they reach the application.

Automated Probe Detection

Requests matching known attack signatures are immediately blocked and the source IP is flagged.

Sensitive path enumeration attempts
Environment and config file probes
CMS admin panel discovery scans
Remote code execution exploits
SQL injection patterns
Path traversal and directory escape attempts

User-Agent Filtering

Known vulnerability scanners and attack tools are rejected before reaching the application.

Automated vulnerability scanners
SQL injection tools
Network reconnaissance tools
Penetration testing frameworks
Web application security scanners
Requests with missing or suspicious identifiers

Adaptive rate limiting: Suspicious IPs are automatically blocked after repeated probe attempts, with configurable cooldown periods

Layer 4

Authentication & Session Security

Every authenticated endpoint uses industry-standard password hashing, timing-safe comparisons, and secure session management.

Password Hashing

Industry-standard memory-hard hashing algorithm
Unique cryptographic salt per password
Timing-safe comparison prevents timing attacks
Multiple hashing algorithms supported
Passwords never stored in plaintext or reversible encryption

Cookie & Session Security

httpOnly flag — prevents JavaScript access (XSS protection)
Secure flag — HTTPS-only transmission
SameSite attribute — CSRF protection
Server-side session store with proper TTL and expiry
Multi-factor authentication support (local + SSO)
Token-based authentication for stateless API access

Access Control

Elevated authentication for sensitive operations
Admin access restricted to whitelisted sources
Permission-based access control per route
Multi-tenant isolation with domain validation
Host header validation against allowlist

Input Validation

Request parameter sanitisation on all inputs
Schema-based validation for type-safe input parsing
Request size limiting with separate thresholds for uploads
Content-Type enforcement on API routes
X-Forwarded-For validation from trusted proxies only

Layer 5

Server & Infrastructure Hardening

Security doesn't stop at the application layer. Our web server configs, process management, and deployment practices are hardened to production standards.

SERVER

Web Server Hardening

Deny access to dotfiles and config files. Block backup and source file access. Restrict admin endpoints to trusted sources. Mitigate known proxy vulnerabilities. Status endpoints restricted to localhost.

PROCESS

Process Security

Applications run as a dedicated unprivileged user, never root. Process manager with startup persistence. Graceful shutdown handling. Process isolation between applications. No elevated privileges in production.

SSL

TLS Configuration

Auto-renewing SSL certificates. HSTS preload list submission. Modern TLS versions only (legacy protocols disabled). Strong cipher suites. OCSP stapling enabled.

DEPLOY

Deployment Security

Git-based deployments (no FTP). Dependency auditing in CI pipeline. Security linting with pre-commit hooks. Build-time security checks. No secrets in version control.

CACHE

Cache Security

API routes: no-store, no-cache, must-revalidate. Static assets: long-term immutable cache for hashed files. HTML pages: always revalidate. Proper ETags and Last-Modified headers.

MONITOR

Security Monitoring

Real-time notifications for security events. CSP violation reporting. IP-based probe logging with full request context. Automated security audit scripts in CI/CD.

Quick Reference

Security Implementation Checklist

Every website we deploy passes this checklist before going live.

Security headers configured

CSP headers set

HSTS enabled (1 year)

X-Frame-Options: DENY

X-Content-Type: nosniff

Referrer-Policy set

Permissions-Policy set

HTTPS enforced

SSL auto-renewal

.env files encrypted

No secrets in git

httpOnly cookies

sameSite cookies

Secure cookie flag

Password hashing (memory-hard)

Rate limiting enabled

API probe detection

User-Agent validation

Input validation (schema-based)

Request size limits

Unprivileged process user

Dotfile access blocked

npm audit clean

Security monitoring