Case Study
PokeBotTCG — Security Hardening & Performance Audit
A promotional website for a Discord gaming bot. The site had excellent performance but zero security hardening — scoring an F on security headers and running weak TLS cipher suites.
Results at a Glance
Security Headers
F
→
A
SSL Labs
A
→
A+
PageSpeed (Desktop)
99
What We Found
✕ Zero security headers — every major header missing
✕ Weak TLS cipher suites (CBC-based) flagged by SSL Labs
✕ Server version exposed in response headers
✕ No HSTS — browser didn't enforce HTTPS
✕ No Content Security Policy — vulnerable to XSS injection
✕ No clickjacking protection (X-Frame-Options missing)
Security Headers — Before & After
Before
After
SSL Labs — Before & After
Before
After
Weak Cipher Suites — Before & After
Before — 6 Weak Ciphers
After — 0 Weak Ciphers
Performance — Already Excellent
Desktop — 99/100
Mobile — 92/100
What We Did
✓ Added six HTTP security headers
✓ Removed weak CBC cipher suites
✓ Enforced TLS 1.2 and 1.3 only
✓ Hidden server version information
✓ Implemented HSTS with preload
✓ Added Content Security Policy
✓ Configured clickjacking protection
✓ Set referrer and permissions policies
Security hardening transformed this site from an F to an A on security headers and from A to A+ on SSL — without changing a single line of the site's code or affecting its 99/100 performance score.
Our Own Site
Apex Web Forge — Built From Scratch
We don't just talk about performance and security. We prove it on our own site. Every score below is independently verifiable right now.
SSL Labs
A+
Security Headers
A
PageSpeed
99
✓ Hand-coded HTML & CSS — no CMS
✓ Self-hosted private analytics
✓ AI-powered lead notifications
✓ Form-to-Discord pipeline
✓ Automated intrusion detection
✓ Rate limiting on all endpoints
✓ Zero third-party dependencies
✓ Gzip compression & cache headers
Everything we offer to clients, we run on our own site first. This is our proof of concept — scan it, test it, verify the scores yourself.