Security

Security practices

SiteLead applies defense-in-depth at the application and infrastructure layers. This page describes our baseline — not a certification claim.

Application security

• Transport encryption

  HTTPS everywhere in production.

• Content Security Policy

  Strict CSP headers on the web app; connect-src limited to configured API origins.

• Session handling

  Auth tokens are not cached by the offline service worker.

Operational security

• Request tracing

  Every API call carries an X-Request-Id for correlation.

• Admin separation

  Admin routes require explicit role assignment.

• Reporting issues

  Report security concerns via the contact page.