Auditors: start at Trust Center.

Ops evidence

Post‑deploy security headers probe

A public‑safe, deterministic checklist to prove what the host actually serves after deploy. Capture the output once, attach it to the audit ticket, and treat any mismatch as HOLD (fail‑closed).

Copycurl probes

Commands (paste once)

Run these on any machine with curl. Save output to a file and attach to the ticket.

Probe block
# MVG post-deploy header probe (UTC)
TS=$(date -u +%Y%m%dT%H%M%SZ)
OUT=ops_headers_${TS}.txt
echo "[UTC] ${TS}" | tee "${OUT}"

# 1) Core entrypoints (expected: security headers present)
for URL in \
  https://meridianverity.com/ \
  https://meridianverity.com/trust-center/ \
  https://meridianverity.com/search/ \
  https://meridianverity.com/trust/site-release/ \
  https://meridianverity.com/.well-known/security.txt; do
  printf "\n=== %s ===\n" "${URL}" | tee -a "${OUT}"
  curl -sI "${URL}" | tee -a "${OUT}"
  printf "\n-- filtered --\n" | tee -a "${OUT}"
  curl -sI "${URL}" | tr -d '\r' | egrep -i '^(HTTP/|strict-transport-security:|content-security-policy:|x-content-type-options:|referrer-policy:|permissions-policy:|cache-control:|content-type:|location:)' | tee -a "${OUT}"
done

# 2) Cache split proof (expected: .well-known no-store; hashed assets immutable)
printf "\n=== cache split (.well-known) ===\n" | tee -a "${OUT}"
curl -sI https://meridianverity.com/.well-known/mvg-trust.json | tr -d '\r' | egrep -i '^(HTTP/|cache-control:|content-type:)' | tee -a "${OUT}"

printf "\n=== cache split (hashed asset) ===\n" | tee -a "${OUT}"
curl -sI https://meridianverity.com/assets/site-polish.v62_1.css | tr -d '\r' | egrep -i '^(HTTP/|cache-control:|content-type:)' | tee -a "${OUT}"

printf "\nWrote: %s\n" "${OUT}" | tee -a "${OUT}"

# 3) Record sha256 for ticketing (do not modify the file after hashing)
if command -v sha256sum >/dev/null 2>&1; then
  sha256sum "${OUT}"
elif command -v shasum >/dev/null 2>&1; then
  shasum -a 256 "${OUT}"
else
  openssl dgst -sha256 "${OUT}"
fi
Expected security headersPASS / HOLD

What must be present

Treat this as a fail‑closed checklist. Missing required headers ⇒ HOLD.

  • strict-transport-security (HSTS)
  • content-security-policy (CSP)
  • x-content-type-options: nosniff
  • referrer-policy
  • permissions-policy

Note: some headers are host-level. This probe confirms they are actually served.

Expected cache splitProcurement‑grade

What must be true

Receipts/pointers must not be cached; versioned assets should be immutable.

  • /.well-known/… and pointer JSON: cache-control: no-store
  • Hashed assets (e.g., *.v62_*): cache-control: public, max-age=31536000, immutable

If cache policy drifts, auditors may treat evidence as non-authoritative.

Copyticket text

Audit ticket note (short)

Paste this into the audit/procurement ticket and attach the ops_headers_*.txt output file.

Pasteable note
Post-deploy security headers probe (curl) completed.
Attached: ops_headers_.txt (raw + filtered).
Recorded: ops_headers_.txt sha256: [paste]
Expectation: missing required security headers ⇒ HOLD; invalid/misconfigured headers ⇒ FAIL.
Cache split: /.well-known no-store; hashed assets immutable.
Ops evidence page (public-safe): https://meridianverity.com/press/ops/security/headers/

This page is informational, public‑safe, and non‑binding unless incorporated into signed artifacts or contracts.

Where it fitsTrust Center

Auditor path