What we read from the outside
Only what any visitor can load. No login, no probing, no payloads.
- Response headers (HSTS, CSP, frame and content-type policies)
- Public JavaScript bundles for hardcoded keys or secret endpoints
- Common config paths (.env, .git, backups, source maps)
- DNS records and email auth (SPF, DMARC)
- TLS version and certificate
- Open directory listings and verbose error pages
What we found
Solid from the outside. A few small things left to tighten.
We are keeping the specifics off this page at the owner's request. The grade reflects what we saw from the outside. The owner can ask us to publish the full read or remove this entry at any time.
How we handled it
- Jun 30, 2026Read passively from the outside. We hold the specifics until the owner has had a chance to fix them.
How we graded thisThe grade is a read of what is exposed to anyone, not a full audit. A means nothing sensitive was in the open. F means something sensitive was reachable with no login. We never test beyond what a browser loads on its own, and we disclose privately before anything goes public.
What to take away
- The basics were mostly in place.
- What is left is routine hardening.
- We hold the specifics until they can be fixed.