Our own security, in the open.
We engineer security for clients — so ours should be inspectable. This page lists how this platform itself is secured. Nothing here is aspirational: every claim is live in production, and you can verify each one from outside.
Transport & isolation
HTTPS with strict transport security
Every request is served over TLS. HSTS is set for two years with includeSubDomains and preload, so browsers refuse to ever downgrade.
Content-Security-Policy on every response
A restrictive CSP limits where scripts, styles and media may load from, shutting down whole classes of injection attacks.
Cross-origin isolation
Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy are pinned to same-origin — our browsing context and resources are isolated from other sites.
No embedding, no sniffing, no referrers
X-Frame-Options: DENY (the site can never be framed), X-Content-Type-Options: nosniff, and Referrer-Policy: no-referrer — we leak nothing about your visit to anyone.
Hardware APIs denied by default
The Permissions-Policy disables camera, microphone, geolocation, payment, USB, Bluetooth and a dozen other browser capabilities this site has no business using.
Data minimisation
No third-party trackers
No advertising pixels, no fingerprinting, no cross-site anything. Only essential storage for your preferences — exactly what the cookie notice says.
The form sends only what you type
The contact endpoint receives the fields you fill in, nothing more, and is rate-limited to blunt abuse and scraping.
Anonymous, aggregate analytics
Traffic measurement is cookieless and aggregate. We can see that a page was visited — not who you are.
Verify it yourself
Don't take our word for it. Anyone can audit these claims in under a minute:
curl -sI https://ardlabs.eu | grep -iE "strict-transport|content-security|x-frame"Read the security headers straight off the wire.
Grade the TLS configuration with Qualys SSL Labs.
Score the full response-header set.
Our machine-readable disclosure policy, where researchers expect it.
Responsible disclosure
Found something? Tell us.
If you believe you have found a vulnerability in ardlabs.eu or any service we operate, write to info@ardlabs.eu with enough detail to reproduce it. We read every report.
We acknowledge reports quickly — typically within 72 hours — and keep you informed while we fix. We will never pursue legal action against good-faith research that respects user data and avoids service disruption.
We are happy to credit researchers who report responsibly, if they wish.
This is the standard we bring to client work.
The same discipline — headers, minimisation, verifiability — applied to your platform.
Start a conversation