I actually do build all of those things before standing something up in prod. Not doing that is insane. Literally every web framework has reasonable defaults baked in.
Any competent tech company will have canned ways to do all of those things that have already been reviewed and vetted
Why are you building and deploying a site critical enough to need CSP and user security & so on in one sitting lol
Anyways, yes, if I know I'm gonna need it? Because every framework has reasonable defaults or libraries for all of those things, and if you're in a corporate environment, you have vetted ways of doing them
1. import middleware.whatever
2. configure it
3. done
Like, you don't write these things unless you need custom behavior.
Any competent tech company will have canned ways to do all of those things that have already been reviewed and vetted