What we read from the outside
Only what any visitor can load. No login, no probing, no payloads.
- Response headers (HSTS, CSP, frame and content-type policies)
- Public JavaScript bundles for hardcoded keys or secret endpoints
- Common config paths (.env, .git, backups, source maps)
- DNS records and email auth (SPF, DMARC)
- TLS version and certificate
- Open directory listings and verbose error pages
What we found
A handful of fixable gaps on the public surface. Details held.
We are keeping the specifics off this page at the owner's request. The grade reflects what we saw from the outside. The owner can ask us to publish the full read or remove this entry at any time.
How we handled it
- Jun 30, 2026Read passively from the outside. We hold the specifics until the owner has had a chance to fix them.
How we graded thisThe grade is a read of what is exposed to anyone, not a full audit. A means nothing sensitive was in the open. F means something sensitive was reachable with no login. We never test beyond what a browser loads on its own, and we disclose privately before anything goes public.
What to take away
- A few common gaps, all fixable.
- Nothing here needed a login or a payload to spot.
- We hold the specifics until they can be fixed.