If we sell security, our own site should be living evidence of how to do it. This page documents the controls running on redactlabs.ca, the compliance frameworks we align to, and how to report a vulnerability. Every control listed below is in production today, not a roadmap promise.
The table below is generated live: your browser re-fetches this page and reads the actual HTTP response headers it received. Every row is a real header on this response, right now — not a screenshot, not a claim.
Re-fetching this page to read its live response headers…
Every item below ships on redactlabs.ca today. Where the implementation is open source, the right-hand link goes to the code.
script-src and style-src are 'self' — every script and stylesheet ships as an external file, so nothing inline runs. No 'unsafe-inline', no 'unsafe-eval', and no nonce to leak or desync. One fixed policy on every response.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload — a one-year strict-transport lock, preload-eligible. TLS 1.3 only — the zone refuses TLS 1.2 and below — on Cloudflare-managed modern cipher suites.
Contact and lead-magnet forms verify the Turnstile token server-side before any downstream action. Per-IP rate limit enforced via a Workers KV counter with a sliding window.
Form submissions are written to a dedicated edge audit log with PII hashed at write time. We retain 30 days for incident triage; IPs are stored as /24 ranges only, never full addresses. No free-text message bodies are persisted in plaintext.
API keys (Resend, Turnstile secret, etc.) live in Cloudflare environment bindings. Wrangler config IDs (D1, R2, KV) are kept in a gitignored wrangler.local.jsonc so the committed config exposes only bindings, never identifiers.
We run Cloudflare Web Analytics — no cookies, no fingerprinting, no banner required. No third-party trackers and no advertising scripts touch the page.
Response headers are only half the attack surface. A domain that never locks down its email authentication and DNS is one spoofed invoice away from a bad day. Here is how redactlabs.ca closes that half.
DMARC is set to enforcement, not monitor-only — a receiving server acts on any message that fails SPF and DKIM alignment instead of merely logging it. A spoofed email claiming to come from redactlabs.ca does not land in the inbox.
Publishing a DMARC policy is only half the job — the aggregate reports receivers send back are collected and reviewed, so a drop in authentication pass-rate is caught early rather than discovered after an incident.
An SPF record declares which servers may send mail as redactlabs.ca and is configured to hard-fail — a server that is not on the list is rejected by the receiver, not softly flagged.
Outbound mail carries a cryptographic DKIM signature, so a receiver can confirm the message genuinely originated from our infrastructure and was not altered in transit. It is what gives DMARC alignment something to verify.
DNSSEC is enabled: DNS answers for the domain are cryptographically signed, so a resolver can detect a poisoned cache or a forged response instead of trusting it.
A CAA record restricts which certificate authorities may issue a TLS certificate for the domain. A CA asked to mint one without authorisation must refuse.
A posture is only as strong as its upkeep. The most recent hardening shipped to this site — every item is visible in the live check at the top of this page.
Strict all-external Content Security Policy
Every script and stylesheet was moved to an external file so the CSP could become a pure 'self' policy — no 'unsafe-inline', no 'unsafe-eval', and no nonce that can desync under caching.
CSP violation reporting
A report-to directive plus a collector endpoint mean the browser now reports any policy violation — early warning of a regression before it can become a vulnerability.
Security headers on every response
The base header set — HSTS, nosniff, frame, referrer, cross-origin and permissions policies — now ships on every response, including JSON API responses, not only HTML pages.
Network Error Logging
Browsers now report transport-layer failures — DNS, TLS, connection and HTTP 5xx errors — to a collector, surfacing connectivity problems that real visitors encounter.
Live in-browser verification
The check at the top of this page: your browser re-fetches the page and confirms the response headers itself. The posture is provable, not merely asserted.
We use these as the source-of-truth control set for both client engagements and our own infrastructure. Where regulated clients require board-ready evidence, we map controls back to these frameworks.
Govern, Identify, Protect, Detect, Respond, Recover. Our default control taxonomy for SMB and charity engagements.
Implementation Group 1–3. We typically scope to IG2 for charities and growing SMBs, IG3 for regulated and high-revenue clients.
The federal SMB certification baseline. We map every client engagement to these 13 control areas as a minimum bar.
Canadian privacy law fluency: federal, Quebec, and Ontario health. We provide privacy-impact assessments and board-ready documentation.
If you've found a security issue in a Redact Labs property, we want to know. The terms below apply to good-faith researchers and are the canonical Policy target referenced by our /.well-known/security.txt.
Send a clear description, steps to reproduce, and any proof-of-concept. Do not include third-party PII; redact where possible.
We acknowledge every report within 72 hours, including triage status and an internal tracking ID.
Confirmed high-severity issues are fixed or mitigated within 30 days. We keep you informed; we will not silently close.
With your permission, we list you in the acknowledgments below. No bug bounty at this time; eligible reports receive swag and a written reference.
Scope
In scope
*.redactlabs.caOut of scope
We will not pursue legal action against researchers who act in good faith, comply with this policy, avoid privacy violations, and give us reasonable time to fix issues before public disclosure.
Listed with permission. Reach out if you've reported something and would like to be added or removed.
No public acknowledgments yet. Be the first — security@redactlabs.ca.
Email security@redactlabs.ca with a description of the issue and steps to reproduce. We acknowledge reports within 72 hours and target a fix or mitigation within 30 days for confirmed issues. We will not pursue legal action against good-faith researchers who follow the disclosure policy on this page.
We do not run a paid bounty at this time. We do publicly acknowledge researchers (with permission) on this page. Eligible high-impact reports receive Redact Labs swag and a written reference.
In scope: redactlabs.ca, mirror.redactlabs.ca, any *.redactlabs.ca subdomain, and the open-source Worker templates we publish. Out of scope: denial-of-service tests, social engineering of our team, physical attacks, and tests against client-owned infrastructure we operate under contract.
Our controls align to NIST CSF 2.0, CIS Controls v8, and CyberSecure Canada. Engagements with regulated clients also align to PIPEDA, Quebec Law 25, and PHIPA where applicable.
Edge access logs and form-submission audit records are retained for 30 days, with PII redacted at write time. We hash email addresses, never store free-text message bodies in plaintext, and store IPs only as truncated /24 ranges for rate-limiting. Cloudflare Web Analytics is cookie-free and does not collect personal data.
Every site we build inherits the controls on this page by default. Talk to a senior engineer about a security retrofit or a fresh build.