Security · Trust · Walk-the-talk

Our security
is the proof.

This page documents the actual security posture of tek2serve.com — the hardening, headers, abuse protection and monitoring running right now. We sell cybersecurity, so our own house has to be in order. Audit us.

Run SSL Labs test Mozilla Observatory
SYSTEMS HARDENED NO CLOUDFLARE · OWN STACK — : —
001 / Layered Defence

Defence in depth, not theatre.

Multiple independent layers of protection on every endpoint. Every header set. Every log monitored. No third-party CDN doing the work — this is our own server, our own stack, our own responsibility.

  1. / 01

    Transport Security

    • TLS 1.3 with modern cipher suites
    • Let's Encrypt with auto-renewal
    • HSTS (max-age 1 year, includeSubDomains)
    • Forced HTTPS redirect (301)
    • Perfect Forward Secrecy
    • OCSP stapling enabled
  2. / 02

    HTTP Security Headers

    • Strict Content Security Policy
    • Anti-clickjacking enforcement
    • MIME-type sniffing disabled
    • Restrictive referrer policy
    • Locked-down permissions policy
    • Strict transport security
  3. / 03

    Network & OS Hardening

    • Restrictive host firewall
    • Automated abuse blocking
    • Key-only SSH authentication
    • No password-based access
    • Kernel-level flood protection
    • Regular security patching
  4. / 04

    Application Isolation

    • Least-privilege container runtime
    • Read-only execution environment
    • No host privilege escalation
    • Memory & CPU resource limits
    • Ephemeral state, no persistent surface
    • Strict isolation from the host
  5. / 05

    Form Endpoint Protection

    • Fixed recipient (no open relay possible)
    • Header injection sanitisation
    • Behavioural bot detection
    • Origin verification
    • Per-IP rate limiting
    • Length caps on every field
  6. / 06

    AI Chatbot Abuse Protection

    • Multi-layered request validation
    • Behavioural session integrity checks
    • Per-session, per-IP & per-window limits
    • Adaptive cooling under load
    • Hard spend ceiling with kill-switch
    • Reserved capacity for new visitors
  7. / 07

    Privacy & Data

    • No third-party analytics or tracking
    • No cookies (zero, not even essential)
    • No fingerprinting or session storage
    • Self-hosted fonts (no Google requests)
    • IP addresses one-way hashed in logs
    • UK GDPR compliant by design
  8. / 08

    Email Security

    • Strict SPF / DKIM / DMARC alignment
    • TLS-only mail submission
    • Self-hosted mail platform
    • Multi-engine spam & virus scanning
    • No third-party mail provider
    • UK-resident mail data
  9. / 09

    Secrets Management

    • Secrets isolated from application code
    • Restricted file permissions
    • Never committed to version control
    • No secrets in client-side code
    • Runtime injection only
    • Anti-scraping email obfuscation
  10. / 10

    Backup & Recovery

    • Automated nightly backups
    • Rolling retention window
    • Restore-tested (the only kind that count)
    • Off-host secondary copy
    • Source-controlled site files
    • Documented recovery procedure
  11. / 11

    Monitoring & Alerting

    • Continuous uptime monitoring
    • Automated abuse detection & logging
    • Anonymised activity logging
    • Adaptive cost & resource controls
    • Container health checks
    • Certificate expiry monitoring
002 / Verify For Yourself

Don't trust us — test us.

Run any of these tests on this very domain. We score top marks because we earn them, not because we paid Cloudflare to score for us.

/ TLS / SSL

SSL Labs

Industry-standard test for TLS configuration, cipher suites, certificate chain, HSTS, OCSP and known vulnerabilities. Target: A+.

Run test →
/ Headers

Mozilla Observatory

Tests HTTP security headers, CSP, Subresource Integrity, cookies, redirects. Free, run by Mozilla.

Run test →
/ Headers

Security Headers

Quick scan of HTTP response headers. Grades A-F based on best practices.

Run test →
/ Email

MXToolbox

SPF, DKIM, DMARC, MX records, blacklist checks, reverse DNS, SMTP banner.

Run test →
/ DNS

DNSSEC Analyzer

Verifies DNS configuration and DNSSEC chain of trust if enabled.

Run test →
/ Disclosure

Found something?

If you discover a vulnerability, see our security.txt for responsible disclosure contact and PGP details. We respond fast and credit reporters.

View security.txt →
003 / Deliberate Choices

Why we don't use Cloudflare.

Most sites achieving these grades do so by hiding behind Cloudflare's CDN. We deliberately don't. Here's why.

i

Cloudflare can't sell what it doesn't do.

If we put our own marketing site behind Cloudflare's WAF, we'd be selling cybersecurity services from behind someone else's firewall. That's a credibility problem. We harden our own server because the work is the proof.

ii

No middleman MITM.

Cloudflare terminates TLS at their edge, then re-encrypts to your origin. That's a legitimate trust handover most people accept — but it does mean a third party can see plaintext requests to your site. We don't ship that compromise.

iii

Defence in depth on our own kit.

Layered rate limiting, automated abuse blocking, application-level anomaly detection, and a hardened container runtime provide DDoS resilience and attack mitigation directly at the origin. It's harder to set up than clicking an orange cloud — that's the point.

iv

Privacy-first data flow.

Visitor IPs never touch a third-party CDN. No tracking pixels, no Google Fonts, no analytics scripts loading from external domains. Every byte is served from our own server. UK GDPR alignment is not lip service.

004 / Responsible Disclosure

Found a vulnerability?
Let us know.

We welcome ethical security research. Please report vulnerabilities through the channels below — never via public disclosure first.

If you've found a vulnerability on this site, please report it responsibly. Don't post publicly first — give us a chance to fix it.

How to reach us: Email with details, reproduction steps, and impact. PGP available on request.

What we promise: Acknowledgement within 48 hours. Triage within 5 working days. Public credit if you want it. No legal action against good-faith research.

Scope: Anything served from this domain. Other client systems and our mail platform are separate scopes — please contact us first if you want to test elsewhere.

Please don't: Run automated scanners against production. Access data that isn't yours. Degrade availability for other users.