Fail-closed RLS
Tenant tables ENABLE and FORCE Postgres row-level security, so the policy binds the owner too. A query that never set the tenant context returns nothing — not everything. Cross-tenant isolation is a CI test, not a convention.
Security & trust
Fail-closed by construction.
The same posture Caisson generates for your app governs this site: deny by default, prove on demand, and claim nothing we do not ship. Caisson generates the audit evidence — it is not the auditor.
HSTS preloadStrict CSPCookielessRFC 9116The shipped posture, not a roadmap.
$ curl -sI https://caisson.sh strict-transport-security: max-age=63072000; includeSubDomains; preload x-content-type-options: nosniff x-frame-options: DENY referrer-policy: strict-origin-when-cross-origin permissions-policy: geolocation=(), microphone=(), camera=() content-security-policy: default-src 'self'; …
Controls Caisson generates
The security your app inherits on day one.
These are product features — wired and tested into the codebase Caisson generates, not services we run on your behalf. You own the source and the evidence.
WORM storage
Evidence buckets enable S3 Object Lock in COMPLIANCE mode with a default retention. Inside the window an object cannot be overwritten or deleted — not by an app bug, an operator, or a leaked root key.
Append-only audit chain
Each audit row commits SHA-256 over the previous hash plus its payload. Tampering with any historical row breaks every link after it, and the break is detectable, provable, and exportable.
Per-tenant field crypto
Sensitive columns are sealed with a data key derived per tenant via HKDF-SHA256. A leaked tenant key exposes one tenant, never the table; rotating the root re-derives every key without a re-encrypt scan.
This site
How caisson.sh itself is secured.
A static marketing site has a small attack surface — we keep it small on purpose and document exactly what ships.
Static export, no runtime
The site is a static export — no application server, no database, no runtime data fetch. The contact-forms endpoint is the only dynamic surface, and it holds no secrets in the client bundle.
Hardened response headers
Every response carries HSTS with preload, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, a strict Referrer-Policy, a closed Permissions-Policy, and a tightened Content-Security-Policy.
Cookieless analytics
Analytics run through Plausible — no cookies, no cross-site identifiers, no consent banner because there is nothing to consent to. Plausible is the one external script and beacon origin the CSP allows.
Self-hosted fonts
Fonts ship from our own origin via next/font — no third-party font CDN. font-src is locked to 'self', removing an external origin from the trust surface.
Validated forms endpoint
The forms function validates input with Zod .strict() (unknown fields rejected), drops bots via a honeypot, and carries an env-gated Turnstile verification seam plus a documented per-IP rate-limit binding as the next step.
Responsible disclosure
A machine-readable policy lives at /.well-known/security.txt (RFC 9116). Report anything you find to security@caisson.sh — we read it.
Content-Security-Policy
The policy that ships — including what is not yet locked down.
We state CSP residuals plainly rather than imply a tighter policy than we run. Trust is the product; over-claiming it would defeat the point.
$ curl -sI https://caisson.sh | grep -i '^content-security-policy' content-security-policy: default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'self'; img-src 'self' data:; font-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://plausible.io; connect-src 'self' https://plausible.io
The one honest residual
script-src and style-src still allow 'unsafe-inline'. A Next.js static export inlines its own hydration bootstrap with no server to mint a per-request nonce, so those inline tags cannot be hash- or nonce-gated without breaking hydration. Our own scripts — theme init, Plausible — are all external 'self'. Tightening the residual to per-script hashes is a tracked follow-up, not a shipped claim.
The honesty boundary
Caisson generates evidence. It is not an auditor.
Caisson ships the technical controls a framework asks for and generates the evidence pack. The audit, and your organizational controls, stay yours.
We never imply Caisson is SOC 2 or HIPAA certified — a codebase cannot be. It maps the live RLS policies, WORM retention, and an audit-chain proof to named controls so you can hand an auditor the evidence, not a screenshot. The technical-versus-administrative line is drawn on purpose, and we keep it visible.
Straight answers
The questions procurement asks first.
Is Caisson SOC 2 or HIPAA certified?
No. Caisson is a codebase, not an auditor. It ships the technical controls those frameworks require — fail-closed RLS, WORM storage, an append-only audit chain — and generates the evidence pack you hand your auditor. The audit itself and your organizational controls (HR, vendor, incident response) remain yours.
Does this site set tracking cookies?
No. Analytics are cookieless (Plausible), there are no third-party trackers, and there is no consent banner because nothing is stored on your device.
How do I report a vulnerability?
Email security@caisson.sh, or read the machine-readable policy at /.well-known/security.txt. There is no bug-bounty program yet; we still want the report.
Responsible disclosure
Found something? Tell us.
We publish a machine-readable policy and read every report. No bounty program yet — the report still matters.