If our own external attack surface had been clean before audit, we'd have been the only AU compliance vendor with no story to tell. It wasn't. So here's the story.
Scan run 2026-06-01 against titanos.tech. Six findings, all published verbatim. Four have been resolved or accepted with reasoning since; two remain open (one trivially blocked on a dashboard click, one a deliberate trade-off).
Source: vuln_scanner · scan_id 40e4f6c4db8b · Methodology
What it means: No CSP header — broader XSS injection surface than required.
What we did: CSP shipped via <meta http-equiv> in app/layout.tsx (2026-06-06). default-src 'self' + script/style 'unsafe-inline' for Next.js inline blocks + /cdn-cgi/scripts/ for Cloudflare.
What it means: No X-Frame-Options — clickjacking via iframe embed possible.
What we did: X-Frame-Options: SAMEORIGIN now served by Cloudflare Managed Transform 'Add security headers' (enabled 2026-06-06).
What it means: Legacy XSS filter disabled.
What we did: Header is deprecated in modern browsers (Chrome/Edge ignore it). CSP covers the same threat model in 2026 browsers. Not planning to add.
What it means: Outbound clicks leak full URL info to third parties.
What we did: Referrer-Policy: same-origin (stricter than recommendation) served by Cloudflare Managed Transform. Belt-and-braces <meta name='referrer'> in app/layout.tsx.
What it means: Browser feature APIs (camera, mic, geolocation, payment) unrestricted.
What we did: Site uses none of those APIs. Cloudflare Transform Rule to deny them queued — dashboard step pending (see audit/STAGED_CLOUDFLARE_RULES.md). No functional risk in interim.
What it means: Server: cloudflare reveals fronting CDN.
What we did: Trade-off: keeping Server: cloudflare lets clients debug DNS/CDN issues. The disclosure is harmless because Cloudflare's role here is verifiable from any whois / DNS lookup anyway.
TLS 1.3 · cert valid through 2 July 2026 · 0 open ports (Cloudflare-fronted) · 0 cleartext services · 0 DB exposure.
Email us your domain. We run the scan. Report lands in your inbox within 1 business day. No card. No login. No follow-up sequence unless you reply.