What we read from the outside
Only what any visitor can load. No login, no probing, no payloads.
- Response headers (HSTS, CSP, frame and content-type policies)
- Public JavaScript bundles for hardcoded keys or secret endpoints
- Common config paths (.env, .git, backups, source maps)
- DNS records and email auth (SPF, DMARC)
- TLS version and certificate
- Open directory listings and verbose error pages
What we found
Nothing sensitive was reachable from the outside. Headers were strict, config paths were locked down, and the public scripts held no secrets.
How we graded thisThe grade is a read of what is exposed to anyone, not a full audit. A means nothing sensitive was in the open. F means something sensitive was reachable with no login. We never test beyond what a browser loads on its own, and we disclose privately before anything goes public.
What to take away
- Headers and transport were in good shape.
- No secrets sat in the public JavaScript.
- We only loaded what any browser loads.