What we read from the outside
Only what any visitor can load. No login, no probing, no payloads.
- Response headers (HSTS, CSP, frame and content-type policies)
- Public JavaScript bundles for hardcoded keys or secret endpoints
- Common config paths (.env, .git, backups, source maps)
- DNS records and email auth (SPF, DMARC)
- TLS version and certificate
- Open directory listings and verbose error pages
What we found
Several things worth fixing on the public surface. Details held.
We are keeping the specifics off this page at the owner's request. The grade reflects what we saw from the outside. The owner can ask us to publish the full read or remove this entry at any time.
How we handled it
- Jun 30, 2026Read passively from the outside. We hold the specifics until the owner has had a chance to fix them.
How we graded thisThe grade is a read of what is exposed to anyone, not a full audit. A means nothing sensitive was in the open. F means something sensitive was reachable with no login. We never test beyond what a browser loads on its own, and we disclose privately before anything goes public.
What to take away
- A cluster of gaps that add up.
- All of it visible from the outside, none of it exotic.
- We hold the specifics until they can be fixed.