A pentest found an XSS hole in your app. Your CDN is not setting HSTS. And your Content-Security-Policy either does not exist or lets everything through. Here is the header-by-header guide to fixing the six headers every production site and API should ship, with working middleware code and a CSP builder that does not make you hate yourself.