Security services
Security services
The family runs a strict-headers + double-audit + two-captcha pattern:
- Headers themselves —
Cloudflare
_headers. Static config-as-code, edge-applied, ships in@chirag127/oriz-kitas a preset every site copies. - CI auditor #1 — securityheaders.com. Scott Helme's rubric. Headers-focused.
- CI auditor #2 — Mozilla Observatory. Mozilla's rubric. Headers + TLS + cookies + redirects.
- Captcha primary — Cloudflare Turnstile. Privacy-friendly, native to the Cloudflare stack, free unlimited.
- Captcha fallback — hCaptcha. Different
operator + edge; auto-swapped in by
<Captcha>when Turnstile is blocked by region or network.
Both auditors run on every PR. PR fails if either score drops below A. The full strategy is locked in security/security-headers-strategy.md. The captcha pair is locked in security/captcha-turnstile-plus-hcaptcha.md.
| Service | Status | One-line role |
|---|---|---|
| cloudflare-headers.md | active | Strict CSP / HSTS preload / Permissions-Policy via _headers file |
| securityheaders.com | active | CI auditor — headers grade rubric |
| mozilla-observatory.md | active | CI auditor — comprehensive (TLS + cookies + redirects + headers) |
| cloudflare-turnstile.md | active | Captcha primary — privacy-friendly, native to Cloudflare stack |
| hcaptcha.md | active | Captcha fallback — different edge, auto-swapped on Turnstile block |
| klaro.md | active | Cookie consent manager (OSS); lazy-loaded only on EU + tracker pages |
| cloudflare-waf.md | active | WAF + Bot Fight Mode at the edge — managed ruleset, DDoS, free tier |
| hono-rate-limit.md | active | Per-route per-IP rate-limit middleware in api.oriz.in Worker (KV-backed) |
Why two auditors?
Each grades the same input differently. securityheaders.com is header-focused; Mozilla Observatory adds TLS + cookies + redirect chains. Running both means an A on both is unambiguous; running either alone leaves a category unchecked.
Why two captchas?
Different operators on different infrastructure means a
Cloudflare-edge incident or a regional / network block on
Turnstile doesn't take public-form submission down with it. The
shared <Captcha> component in
reachability on mount and swaps providers transparently.
Anti-bot defense in depth (3 layers)
Locked at
security/anti-bot-defense-in-depth.md.
Three layers, each at a different stage of the request lifecycle:
- Edge / zone-wide — Cloudflare WAF + Bot Fight Mode blocks known-bad IPs, common attack patterns, and DDoS before anything reaches a Worker.
- Form-submit boundary — Turnstile + hCaptcha pair gates contact / sign-up / comment forms.
- API per-route throttle — Hono rate-limit middleware in the api.oriz.in Worker throttles per-IP per-route.
All three free, run on existing Cloudflare account, no card.
Cross-refs
- Security headers strategy decision
- Captcha decision — Turnstile primary + hCaptcha fallback
- Anti-bot defense-in-depth decision
- Cookie banner policy decision
- CF Worker quota mitigation playbook
- Cloudflare Pages — host that reads
_headers - App Check — Firestore bot defense
- reCAPTCHA Enterprise — risk assessments
- No card-on-file rule
- No hardcoded secrets rule