SEO Audit, Docs Polish & Security Headers

Improved

• SEO Validator v7.2.1 — Reduced false positives: relaxed title length thresholds (min 15, max 70), exempt utility pages from title checks, scoped heading hierarchy and soft 404 detection to <main> content only, added changelog exemption for legitimate 404-mentioning content
• docs.speybooks.com SEO — Disambiguated duplicate titles (Authentication ×2, Webhooks ×3), expanded 8 short meta descriptions on API reference pages, excluded internal DOCS-CONTENT-STATUS page from sitemap, fixed robots.txt and llms.txt MIME types to text/plain
• Security headers hardened across all four subdomains — added Content-Security-Policy to speybooks.com and docs.speybooks.com, added full security header suite to api.speybooks.com (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy), fixed nginx header inheritance in static asset location blocks
• Insights articles 9 & 10 — “Building Idempotent Financial APIs” (27 Feb) and “Why Accounting Software Shouldn’t Need a UI” (1 Mar) published with hero SVGs

Fixed

• nginx header inheritance — Static asset location blocks (/_astro/, images, CSS/JS) were silently dropping all server-level security headers due to nginx’s add_header inheritance model. Added X-Content-Type-Options to each block.
• api.speybooks.com security — Was serving zero security headers. Added HSTS, nosniff, DENY framing, referrer policy, and permissions policy to all three location blocks (proxy, root, catch-all).
• Bank feeds article polish — Softened Plaid settlement language, clarified PSD2 refresh phrasing, added SpeyBooks to CSV parties list for completeness