// Infrastructure security audit — public results
WE SCAN
OURSELVES.
A security review company must secure its own infrastructure. These are CodeWatchdog's independent test results. Every score is publicly verifiable. Every link runs the test live on the actual site.
// Links below open third-party tools testing codewatchdog.com in real time. Independent results — not our word.
// Security Headers
A+
All six critical response headers present and correctly configured. HSTS with 2-year max-age and preload.
securityheaders.com
Verify live →
// SSL / TLS
A+
TLS 1.3 enforced. TLS 1.0 and 1.1 disabled. Strong cipher suites only. Valid certificate chain.
Qualys SSL Labs
Verify live →
// Mozilla Observatory
A+
CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy all present. No mixed content.
observatory.mozilla.org
Verify live →
// Privacy Scan
100
Zero third-party tracking scripts. No analytics. No advertising pixels. No session recording. Referrer-Policy: no-referrer.
webbkoll.dataskydd.net
Verify live →
// What these scores mean in practice
A+ on Security Headers: every browser receives full security directives — no clickjacking, no content sniffing, no cross-site embedding, strict transport enforcement. A+ on SSL Labs: TLS accepts only modern protocols, strong ciphers, valid certificate chains. 100 on privacy: no Google Analytics, no Facebook Pixel, no Hotjar, no Intercom — nothing watching you back.
// Response headers — full configuration
EVERY HEADER. EXPLAINED.
Sent with every response from this server. Inspect them yourself in browser dev tools: Network → Response Headers.
Strict-Transport-SecurityHSTS preload
max-age=63072000; includeSubDomains; preload
Forces HTTPS for 2 years across all subdomains. Listed in browser preload lists — HTTPS is enforced even before the first request.
Forces HTTPS for 2 years across all subdomains. Listed in browser preload lists — HTTPS is enforced even before the first request.
Content-Security-PolicyCSP
default-src 'self'; script-src 'self' 'unsafe-inline'; frame-ancestors 'none'; form-action 'self'
Restricts all resource loading to this origin. Blocks framing by any external site. Limits form submissions to this domain only. External fonts explicitly whitelisted.
Restricts all resource loading to this origin. Blocks framing by any external site. Limits form submissions to this domain only. External fonts explicitly whitelisted.
X-Frame-OptionsClickjack
DENY
This page cannot be embedded in any iframe on any domain. Eliminates clickjacking attacks entirely.
This page cannot be embedded in any iframe on any domain. Eliminates clickjacking attacks entirely.
X-Content-Type-OptionsMIME
nosniff
Prevents browsers from MIME-sniffing responses away from the declared content type. Blocks content-type confusion attacks.
Prevents browsers from MIME-sniffing responses away from the declared content type. Blocks content-type confusion attacks.
Referrer-PolicyPrivacy
no-referrer
No referrer information is sent with any request from this site. When a visitor follows a link to an external domain, that destination receives zero information about where the visit originated.
No referrer information is sent with any request from this site. When a visitor follows a link to an external domain, that destination receives zero information about where the visit originated.
Permissions-PolicySensors
camera=(), microphone=(), geolocation=(), interest-cohort=(), payment=(), usb=()
Explicitly disables camera, microphone, geolocation, FLoC/Topics API, payment requests, and USB access. No browser feature can be silently activated.
Explicitly disables camera, microphone, geolocation, FLoC/Topics API, payment requests, and USB access. No browser feature can be silently activated.
Cross-Origin-Opener-PolicyIsolation
same-origin
Prevents cross-origin pages from getting a reference to this window. Mitigates Spectre-class timing attacks and cross-origin information leakage.
Prevents cross-origin pages from getting a reference to this window. Mitigates Spectre-class timing attacks and cross-origin information leakage.
Cross-Origin-Resource-PolicyLeakage
same-origin
Resources served by this site cannot be loaded by scripts on other origins. Blocks cross-origin data inclusion attacks.
Resources served by this site cannot be loaded by scripts on other origins. Blocks cross-origin data inclusion attacks.
// Known scanner findings — full transparency
WHAT SCANNERS FLAG. AND WHY.
Some privacy and security scanners report warnings that are technically accurate but require context to interpret correctly. We document every finding here rather than ignore it.
NEL — Network Error Logging header present
Privacy scanners flag the
This header is not set by CodeWatchdog. It is injected by Cloudflare at the network edge for every site hosted on Cloudflare Pages and Cloudflare Workers. It cannot be suppressed or removed via the
What it actually reports: browser-detected network errors (failed DNS lookups, TLS handshake failures, TCP timeouts) that occur when your browser attempts to reach this site. It reports infrastructure faults back to Cloudflare — the company that hosts this site, not a separate third party. It does not transmit page content, user behaviour, form data, or any identifying information about you. Cloudflare's handling of this data is governed by their Privacy Policy and enterprise DPA.
NEL and Report-To headers because they instruct the browser to send network error reports to a third-party URI — in this case https://a.nel.cloudflare.com/report/v4.This header is not set by CodeWatchdog. It is injected by Cloudflare at the network edge for every site hosted on Cloudflare Pages and Cloudflare Workers. It cannot be suppressed or removed via the
_headers configuration file — it operates below the application layer. The only way to eliminate it would be to move off Cloudflare infrastructure entirely.What it actually reports: browser-detected network errors (failed DNS lookups, TLS handshake failures, TCP timeouts) that occur when your browser attempts to reach this site. It reports infrastructure faults back to Cloudflare — the company that hosts this site, not a separate third party. It does not transmit page content, user behaviour, form data, or any identifying information about you. Cloudflare's handling of this data is governed by their Privacy Policy and enterprise DPA.
Referrer-Policy — scanner recommendation noted
Some privacy scanners flag
Our current
strict-origin-when-cross-origin as a warning because it sends the origin URL when a user follows a link to an external domain. This value is the browser default since Chrome 85 and is considered standard safe practice — but it is not the most restrictive option available.Our current
Referrer-Policy is set to no-referrer. Under this policy, no referrer information is sent under any circumstance — not when following external links, not when loading subresources. If you navigate from this site to an external destination, that destination receives no information about where you came from.
// Privacy — what is not on this site
ZERO THIRD-PARTY TRACKING.
Most sites load 10 to 30 third-party scripts that report your behaviour to companies you never agreed to interact with. None of those scripts are here.
Not present
Google Analytics / Tag Manager
No analytics script of any kind. Your visit is not counted, segmented, or sent to any third-party reporting dashboard. We do not know how many people visit this page and that is intentional.
Not present
Advertising Pixels
No Facebook Pixel, no LinkedIn Insight Tag, no Twitter/X tracking, no Google Ads remarketing. Your visit is not used to build an ad targeting profile.
Not present
Session Recording
No Hotjar, no FullStory, no Microsoft Clarity. Nobody is watching a replay of your mouse movements. No heatmap tool is running in the background.
Not present
Live Chat and Support Widgets
No Intercom, no Drift, no Zendesk, no Crisp. These tools load significant JavaScript, track browsing behaviour, and report it to their parent companies by default.
Present
Google Fonts
This site loads font files from fonts.gstatic.com, whitelisted in the CSP. This is the only third-party domain contacted. It does not set cookies and does not receive any identifying information about your visit.
Active
Cloudflare Protection
The site runs behind Cloudflare, which provides DDoS protection, TLS termination, and edge caching. Cloudflare processes traffic at the network layer. Their data practices are governed by their DPA.
// Stack
WHAT THIS RUNS ON.
Every component was chosen with security and privacy as primary criteria, not convenience.
Hosting
Cloudflare Pages
Static files served from Cloudflare's global edge network. No origin server to compromise. DDoS protection active at the network layer. Automatic TLS certificate provisioning and renewal.
API / Serverless Functions
Cloudflare Workers
All backend API endpoints run as Cloudflare Workers — serverless, no persistent runtime, no long-lived process to exploit. Cold-start execution with no shared memory between requests.
Database
Cloudflare D1 (SQLite)
Contact and application data stored in Cloudflare's edge database. Accessible only from Workers using a bound service binding — no public database connection string, no exposed port.
Rate Limiting
Cloudflare KV
IP-based rate limiting on all scan endpoints enforced at the Worker level using KV storage. 10 scans per hour per IP. Prevents abuse without requiring user accounts.
Secrets Management
Cloudflare Environment Secrets
API keys, access codes, and credentials stored as encrypted Cloudflare secrets. Never in source code, never in configuration files, never in version control. Injected at runtime only.
AI Analysis
Anthropic Claude API
Code scans are processed via Anthropic's API over an encrypted connection. Anthropic does not train its models on API inputs — this is governed by their API usage policy and data processing agreement. Code submitted for AI scan is not stored by CodeWatchdog at any point. Human review engagements operate under a signed NDA as standard — no code is retained after project delivery.
// Run the tests yourself
CHECK EVERY CLAIM.
Each card below links to an independent third-party tool pointed at our live domain. The results are real-time — not screenshots, not PDFs. If the score has changed since this page was written, you will see the current result.
// securityheaders.com
Security Headers Analysis
Scans all HTTP response headers. Grades based on presence and configuration of HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and CORP/COOP.
securityheaders.com/?q=codewatchdog.com
// Qualys SSL Labs
SSL / TLS Configuration Test
Deep analysis of the TLS configuration — protocol versions, cipher suites, certificate chain, HSTS preload status, and known vulnerability exposure (POODLE, Heartbleed, ROBOT, etc.).
ssllabs.com/ssltest/analyze.html?d=codewatchdog.com
// Mozilla Observatory
Web Security Observatory
Mozilla's security scoring tool. Evaluates CSP quality, HSTS configuration, cookie security, subresource integrity, redirection behavior, and cross-origin policy. Industry-trusted grading.
observatory.mozilla.org/analyze/codewatchdog.com
// Webbkoll / dataskydd.net
Privacy and Tracker Scan
Loads the page in a real browser and reports every third-party domain contacted, every cookie set, and all tracking resources loaded. Run by a Swedish non-profit focused on digital rights.
webbkoll.dataskydd.net/en/check?url=codewatchdog.com
// Google PageSpeed Insights
Performance and Core Web Vitals
Measures real-world load performance, Largest Contentful Paint, Cumulative Layout Shift, and Interaction to Next Paint. Fast sites are harder to disrupt and easier to trust.
pagespeed.web.dev/analysis?url=codewatchdog.com
// DNS Checker
DNS Propagation and Health
Verifies DNS records are consistent across global resolvers. Confirms the domain is not hijacked or pointing to an unexpected IP. Checks from 26 locations worldwide.
dnschecker.org/#A/codewatchdog.com
// The point
We review code for security vulnerabilities. If our own infrastructure didn't meet the same standard, nothing here would be credible. These scores aren't a feature — they're the baseline.