The verdict in three sentences
A migration is the best time to fix security: you are changing the infrastructure anyway. Without an audit, you carry over old vulnerabilities and risk breaking SEO (indexed http URLs, mixed content). The 2026 checklist (HSTS, CSP, TLS 1.3, 301 redirects to https) moves a site from grade F to A on securityheaders.com, for a cost of 150,000 to 400,000 FCFA.
The security headers checklist
Each header blocks a category of attack. Here are the essentials and their effect.
| Header | Role | Without it | Priority |
|---|---|---|---|
| HSTS | forces HTTPS | interception possible | High |
| Content-Security-Policy | blocks injected scripts | XSS risk | High |
| X-Frame-Options | prevents clickjacking | site "framable" | High |
| X-Content-Type-Options | blocks MIME sniffing | hijacked execution | Medium |
| Referrer-Policy | limits URL leakage | data exposed | Medium |
| Permissions-Policy | restricts camera/mic/geo | API abuse | Medium |
A site without these headers typically scores an F; adding them correctly (with a CSP tested so nothing breaks) reaches an A or A+.
TLS, certificates and grade impact
Beyond headers, the transport layer and certificates matter just as much.
| Element | 2026 target state | At-risk state | Cost/effort |
|---|---|---|---|
| TLS version | 1.3 (1.2 minimum) | TLS 1.0/1.1 active | included in audit |
| SSL certificate | auto-renewed (Let's Encrypt) | manual expiry | free |
| http->https redirect | systematic 301 | http accessible | included |
| Mixed content | none (all https) | images/scripts on http | cleanup |
| securityheaders grade | A / A+ | F / D | audit goal |
| Full audit cost | 150,000 - 400,000 FCFA | - | by size |
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
In Senegal, law 2008-12 on personal data protection requires reasonable security measures: a site collecting customer data without proper HTTPS or headers exposes itself to CDP sanctions and loss of trust.
Mini case study
Sophie migrates her clinic's site in Dakar (online booking, patient data). Before migration: grade F on securityheaders, TLS 1.0 still active, no HSTS, forms partly on http. Audit + fix billed at 300,000 FCFA. After: TLS 1.3, HSTS enabled, tested CSP, 301 redirects, grade A. Result: stronger law 2008-12 compliance, no more "not secure" browser warning (which drove away 1 in 5 visitors), and a booking form whose completion rate rises by 12 points.
FAQ
Do security headers slow down the site? No, their performance impact is nil: they are HTTP headers of a few bytes. They affect neither LCP nor page weight.
Can a bad CSP break my site? Yes, if too strict it can block legitimate scripts (analytics, chat, payment). That is why we first test it in "report-only" mode before enforcing it.
Is a free Let's Encrypt SSL certificate enough? Yes for almost all sites: it offers the same encryption as a paid certificate, auto-renews every 90 days, and avoids expiry oversights.
Why run the audit during the migration rather than after? Because we are already reconfiguring server and DNS: adding headers and fixing TLS then costs a few hours, versus a more expensive separate intervention later.
Let's talk about your project. We audit your current site's security for free (securityheaders grade, TLS, certificates) and quote the compliance work. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
