Security

We practice what we build

A security product company whose website leaks visitor data to Google is not credible. We hold this site to the same standard as our product: minimal data collection, no third-party trackers, strict Content Security Policy, and self-hosted everything that can be self-hosted.

Every claim on this page is verifiable. We'll show you how.

HTTP security headers

Every response from this site includes these 7 security headers, applied by our Astro middleware on every request:

Content-Security-Policy

default-src 'self'; script-src 'self' 'nonce-...' 'strict-dynamic' ...

Nonce-based script loading with strict-dynamic. Only our code and explicitly allowlisted services can execute.

Strict-Transport-Security

max-age=63072000; includeSubDomains; preload

HTTPS enforced for 2 years. HSTS preload list eligible.

X-Content-Type-Options

nosniff

Prevents MIME-type sniffing attacks.

X-Frame-Options

SAMEORIGIN

Prevents this site from being embedded in third-party iframes (clickjacking protection).

Referrer-Policy

strict-origin-when-cross-origin

Referrer information is sent only to same-origin or as origin-only for cross-origin HTTPS.

Permissions-Policy

camera=(), microphone=(), geolocation=(), interest-cohort=()

Camera, microphone, geolocation, and FLoC/Topics API disabled. This site has no reason to access them.

X-DNS-Prefetch-Control

on

Allows DNS prefetching for performance on allowlisted origins.

Content Security Policy deep-dive

Our CSP uses nonce-based script loading with 'strict-dynamic'. A fresh cryptographic nonce is generated for every request. Only scripts with the correct nonce can execute — everything else is blocked.

The complete CSP allowlist:

  • 'self' — our own origin
  • js.stripe.com — Stripe payment processing (PCI compliance requires their hosted JS)
  • prod.spline.design — 3D product scenes (product pages only, future)
  • Plausible domain — self-hosted analytics (future, cookieless)

That's it. No Google. No Meta. No ad networks. No chat widgets. No social proof scripts. No "just one more tag."

Verify it yourself: open DevTools → Network tab on any marketing page. Every request goes to our origin or the services listed above.

Self-hosted assets

Fonts: Geist, DM Sans, and Geist Mono are self-hosted via Fontsource (WOFF2). Zero requests to Google Fonts or any external font CDN. This is enforced by the CSP font-src 'self' directive.

Analytics: When added, analytics will be via self-hosted Plausible — open source, cookieless, GDPR-compliant by design. No Google Analytics. Ever.

Hosting: Cloudflare Pages. The same provider handles our DNS, CDN, and DDoS protection — one vendor, one privacy relationship.

Third-party services

Every external service this site touches, why, and what data they see:

Cloudflare

Hosting, DNS, DDoS protection

Access logs (IP, timestamp, URL) per Cloudflare standard infrastructure.

Supabase

Database (waitlist signups)

Email addresses and deposit status. Row Level Security enforced at the database engine level.

Stripe

Payment processing (deposits)

Card data for PCI-compliant payment processing. Warden never sees card numbers.

Sentry

Error tracking

Error stack traces and browser metadata for debugging. No PII collected. Session replays disabled.

Verify it yourself

Don't take our word for it. Check:

Check the CSP header

curl -sI https://wardenllc.com/ | grep content-security-policy

Check for third-party requests

DevTools → Network tab → reload any marketing page → filter by third-party

View source

Marketing pages ship zero JavaScript (error tracking aside). View source to verify.

Report a vulnerability

If you find a security issue, please email hello@wardenllc.com with details. We take every report seriously.

A formal security.txt and responsible disclosure program are planned.