Security#

How deswalsandbox.com is secured, what's been audited, and what to do if you find a vulnerability.

This page covers the marketing site only. Individual products linked from the lab have their own security documentation.

Transport#

  • HTTPS everywhere, enforced via HSTS (max-age=63072000; includeSubDomains; preload).
  • TLS 1.3 minimum.
  • HTTP/2 + HTTP/3 enabled at the edge (Vercel + Cloudflare).

Headers#

The site sends strict security headers on every response, including:

  • Content-Security-Policy with nonces for inline scripts.
  • Strict-Transport-Security as above.
  • X-Frame-Options: DENY.
  • X-Content-Type-Options: nosniff.
  • Referrer-Policy: strict-origin-when-cross-origin.
  • Permissions-Policy restricting geolocation, camera, microphone, payment.

Verified periodically at securityheaders.com.

Input & forms#

  • All form inputs are validated client-side and server-side. Server-side validation uses Zod schemas.
  • Anti-spam: Cloudflare Turnstile invisible challenge plus per-IP rate limiting at the edge.
  • No file uploads on the marketing site.

Sub-processors#

The site uses the following third parties: Vercel (hosting), Cloudflare (DNS, anti-spam), Resend (transactional email), Buttondown (newsletter), Plausible (analytics), and Sentry (error tracking). All EU/India-friendly.

Disclosure#

If you find a vulnerability, please email security@deswalsandbox.com with details. I'll acknowledge within 48 hours, fix critical issues within 7 days, and credit you in the changelog if you'd like.

Please give me a reasonable window before public disclosure.

What I commit to#

  • No skipping security headers to make things easier.
  • No turning off CSP to fix a third-party script — find a way to add the nonce.
  • An incident post-mortem published publicly within 7 days of any data breach that affects subscribers.