← knowledge.oriz.in

Security services

index servicessecurityheadersauditcaptchaindex

Security services

The family runs a strict-headers + double-audit + two-captcha pattern:

Both auditors run on every PR. PR fails if either score drops below A. The full strategy is locked in security/security-headers-strategy.md. The captcha pair is locked in security/captcha-turnstile-plus-hcaptcha.md.

Service Status One-line role
cloudflare-headers.md active Strict CSP / HSTS preload / Permissions-Policy via _headers file
securityheaders.com active CI auditor — headers grade rubric
mozilla-observatory.md active CI auditor — comprehensive (TLS + cookies + redirects + headers)
cloudflare-turnstile.md active Captcha primary — privacy-friendly, native to Cloudflare stack
hcaptcha.md active Captcha fallback — different edge, auto-swapped on Turnstile block
klaro.md active Cookie consent manager (OSS); lazy-loaded only on EU + tracker pages
cloudflare-waf.md active WAF + Bot Fight Mode at the edge — managed ruleset, DDoS, free tier
hono-rate-limit.md active Per-route per-IP rate-limit middleware in api.oriz.in Worker (KV-backed)

Why two auditors?

Each grades the same input differently. securityheaders.com is header-focused; Mozilla Observatory adds TLS + cookies + redirect chains. Running both means an A on both is unambiguous; running either alone leaves a category unchecked.

Why two captchas?

Different operators on different infrastructure means a Cloudflare-edge incident or a regional / network block on Turnstile doesn't take public-form submission down with it. The shared <Captcha> component in

probes

reachability on mount and swaps providers transparently.

Anti-bot defense in depth (3 layers)

Locked at security/anti-bot-defense-in-depth.md. Three layers, each at a different stage of the request lifecycle:

  1. Edge / zone-wideCloudflare WAF + Bot Fight Mode blocks known-bad IPs, common attack patterns, and DDoS before anything reaches a Worker.
  2. Form-submit boundaryTurnstile + hCaptcha pair gates contact / sign-up / comment forms.
  3. API per-route throttleHono rate-limit middleware in the api.oriz.in Worker throttles per-IP per-route.

All three free, run on existing Cloudflare account, no card.

Cross-refs