🔒 Independently Verified

SECURITY.

Every connection encrypted. Every header hardened. Every attack vector locked down. Thirteen months of iterative hardening, zero shortcuts. Your browser doesn't have to trust us because the math does.

Mozilla Observatory · SSL Labs · SecurityHeaders.com

A+ GRADE · 100 / 100

TLS 1.3 with AES-256. HSTS preloaded. Strict Content Security Policy. Zero inline scripts. No third-party JavaScript loaded without a self-hosted copy. Every header audited and scored perfect.

Months Hardening

Header Policies

Breach Incidents

100%

CSP Coverage

2yr

HSTS Preload

// Defence in depth

Every layer hardened.

Security isn't one thing. It's seven. We take the paranoid option at every layer so that breaking any single control never compromises the rest. Each header below is independently visible via curl -I and independently graded by third-party auditors.

TLS 1.3 / AES-256

Every connection is encrypted with the TLS 1.3 protocol using the AES-256-GCM-SHA384 cipher suite. Same standard used by NATO, banks, and Signal.

ACTIVE

HSTS Preload

HTTP Strict Transport Security with two-year enforcement. Your browser is hard-instructed to never connect over unencrypted HTTP. Preload-ready for every major browser.

ENFORCED

Content Security Policy

Strict CSP blocks every unauthorised script, frame, data URI, and cross-origin request. Only self-hosted scripts plus Google Fonts are permitted. XSS neutralised at the browser level.

LOCKED

Clickjack & Frame Block

X-Frame-Options DENY and frame-ancestors 'none' prevent any external site from embedding or overlaying FreedomCore. Zero clickjacking risk on any device.

BLOCKED

API Rate Limiting

Every API endpoint is rate-limited to 10 requests/sec per IP with burst protection. Read-only GETs by default. Write endpoints gated by a second layer of session auth.

PROTECTED

Privacy Headers

Referrer-Policy controls data leakage. Permissions-Policy blocks camera, microphone, geolocation, payment, USB and sensor access by default. Cross-Origin policies isolate every resource.

SEALED

No Inline JavaScript

Every script on every page is an external file. No <script>alert()</script> lurking in HTML. No eval. No new Function. Attackers can't inject payloads that execute.

ENFORCED

Nothing Custodial

We never hold user funds. Token gate reads on-chain balance directly, subscription gate is billed by Stripe. Your keys and money never touch our servers. Can't lose what we never held.

BY DESIGN

// Thirteen months, every incident logged

The hardening timeline.

Security isn't a launch feature. It's a thirteen-month running scorecard. Every improvement shipped, every header added, every gap discovered and patched. No incident in any month.

May 2025

Server spun up. TLS auto-provisioned via Let's Encrypt. HTTPS-only from day one.

Jul 2025

Added HSTS with 6-month enforcement. All HTTP requests permanently redirect.

Sep 2025

Introduced Content Security Policy in report-only mode. Audited every violation.

Nov 2025

Promoted CSP to enforce mode. Removed all inline scripts. Zero regressions.

Jan 2026

X-Frame-Options + frame-ancestors. Anti-clickjack hardened to grade A.

Feb 2026

Permissions-Policy added. Camera / mic / geolocation / USB / payment API blocked by default.

Mar 2026

Cross-Origin policies added (COOP / CORP). Isolated every resource.

Apr 2026

HSTS extended to 2-year preload. Rate limiting added at nginx. API key required on every /api/ route.

Apr 2026

Self-hosted every third-party JS (ethers.js, etc.). No external code loads at all. A+ across all three auditors.

🔍 Verify Independently

Don't take my word for any of this. Click through to three independent third-party auditors and see the A+ grade for yourself. Every button below checks freedomcore.io live.

Verify Headers Live

SSL Labs· Mozilla Observatory· HSTS Preload