Security Posture

A company that builds accountability infrastructure should walk the talk. Here’s our website’s posture.

Transport Security

  • HSTS — enabled (preload-ready)
  • TLS 1.3 — via Cloudflare edge (where supported)

Response Headers

  • Content-Security-Policy (strict allowlists)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()

Security Scoring

  • Target: Mozilla Observatory A+ / SSL Labs A+
  • Current scores published when deployment is stable

Privacy

  • Analytics: Plausible (cookie-free)
  • No third-party behavioral trackers
  • No advertising scripts
  • We do not intentionally collect personal data via this site

Supply Chain

  • Static site — no server-side runtime
  • Hosted on Cloudflare Pages (global CDN, DDoS protection)
  • Third-party scripts use SRI where applicable
  • Dependency lockfile committed for reproducible builds

Questions or security concerns? one@oia-lab.com

Responsible disclosure welcome. PGP on request.