Procurement • Security

Security lens: headers, CSP, caching, release evidence.

Everything a skeptical security team should be able to validate — without trust, without uploads, and without third‑party scripts.

Boardroom Security Packet (PDF)Canonical proof-linked packet Site release evidence Transparency rail Back to hub

Security posture summary

No third‑party scripts. All scripts, fonts, and assets are same‑origin.
Strict CSP with object-src 'none', frame-ancestors 'none', and no inline style attributes.
SRI on versioned assets; cache is immutable for versioned assets.
Fail‑closed verification: missing/unverifiable proofs ⇒ HOLD (intentional).

How to validate (copy/paste)

Commands a security reviewer can run. These checks should be automatable.

Headerscurl

Response header probe

curl -sI https://meridianverity.com/procurement/ | sed -n '1,40p'

# Focus on: Content-Security-Policy, HSTS, X-Content-Type-Options,
# Referrer-Policy, Permissions-Policy, Cross-Origin-* and Cache-Control

Expected: strict CSP + no framing + no MIME sniff + HSTS (HTTPS only) + tight referrer + restrictive permissions.

SRIIntegrity

Subresource integrity check

# Example: verify an asset matches its pinned sha256 in the HTML
curl -s https://meridianverity.com/procurement/ \
  | grep -Eo 'integrity="sha256-[^"]+"' | head

# Optional: download the asset and compute sha256 locally, compare.

SRI is mandatory for versioned CSS/JS. Any mismatch is a FAIL signal.

CacheImmutable

Cache policy expectations

/assets/*.v*.* should be served with long-lived cache (immutable).
HTML should be no-store or short-lived (freshness over caching).
Downloads may be cached per policy; checksums enable offline validation.

This design enables safe, pinned upgrades without cache poisoning.

Supply chainNo 3P

Dependency posture

No third‑party analytics tags.
No external JS/CDN.
No remote fonts.
Deterministic verifier outputs (PASS/FAIL/HOLD).

If a third‑party dep appears unexpectedly, treat as HOLD/FAIL until explained.

Release evidenceReplayable

Evidence anchors

Site release receipts (integrity + publication)
Transparency rail (append‑only, inclusion proofs)
Procurement Ticket Pack DSSE (pointers)
Offline verifier (PASS/FAIL/HOLD)

EscalationSecurity

When to escalate

HOLD: missing signature, missing proof, missing pointer, ambiguous channel.
FAIL: integrity mismatch, signature invalid, unexpected third‑party execution surface.

Email security@ Security disclosure