Security
Security Posture
Last updated: April 3, 2026
This page summarizes the implemented security controls across all CHKDSK Labs products and services. It documents current controls, not future or aspirational controls.
1. Application and Transport Security
- HTTPS with strict transport security (HSTS preload enabled).
- Security headers configured globally, including `X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`, and `Permissions-Policy`.
- Content Security Policy (CSP) restrictions are applied to script, style, image, and connection sources.
Applicable projects
- [x]CHKDSK Labs Website
- [x]Ridge Sight
- [ ]Refresso
- [x]ConVersely
- [ ]HissCheck
- [ ]L-BOM
- [ ]GUI-BOM
- [x]CrabTalk
- [ ]Pomotok
2. API Input and Access Controls
- APIs validate required fields, maximum lengths, and allowed values using centralized schema validation (Zod where applicable).
- Email format validation is enforced for support and account intake.
- Access tokens and session identifiers are validated before processing.
- External service URLs are restricted to valid HTTPS URLs to reduce SSRF risk.
Applicable projects
- [x]CHKDSK Labs Website
- [x]Ridge Sight
- [ ]Refresso
- [x]ConVersely
- [ ]HissCheck
- [ ]L-BOM
- [ ]GUI-BOM
- [x]CrabTalk
- [ ]Pomotok
3. Authentication and Secrets Handling
- OAuth access tokens, refresh tokens, webhook URLs, and API keys are encrypted at rest using AES-256-GCM where applicable.
- Session tokens are hashed (SHA-256) before database storage; raw values are never persisted.
- Service integration keys are loaded from environment variables and not hardcoded.
- Webhook payloads from GitHub, Stripe, and other providers are verified via HMAC-SHA256 signatures with constant-time comparison.
Applicable projects
- [ ]CHKDSK Labs Website
- [x]Ridge Sight
- [x]Refresso
- [x]ConVersely
- [ ]HissCheck
- [ ]L-BOM
- [ ]GUI-BOM
- [x]CrabTalk
- [ ]Pomotok
4. Data Isolation and Access Control
- PostgreSQL Row-Level Security (RLS) policies ensure users can only access their own data.
- Database queries are parameterized throughout to prevent SQL injection.
- Account deletion triggers full anonymization of identifiable data.
Applicable projects
- [ ]CHKDSK Labs Website
- [x]Ridge Sight
- [ ]Refresso
- [x]ConVersely
- [ ]HissCheck
- [ ]L-BOM
- [ ]GUI-BOM
- [x]CrabTalk
- [ ]Pomotok
5. AI Security Controls
- All AI inference is routed through the Vercel AI Gateway with Zero Data Retention (ZDR) models exclusively — a company-wide policy.
- AI endpoints require authenticated sessions and are subject to rate limiting.
- Prompt injection mitigations are in place: input escaping, structured output schema validation, and output sanitization.
- AI outputs are validated against strict schemas before being stored or returned to users. Invalid responses trigger deterministic fallback behavior.
- No source code, file contents, or raw user PII is ever sent to AI model providers.
Applicable projects
- [ ]CHKDSK Labs Website
- [x]Ridge Sight
- [ ]Refresso
- [x]ConVersely
- [ ]HissCheck
- [ ]L-BOM
- [ ]GUI-BOM
- [ ]CrabTalk
- [ ]Pomotok
6. Logging and Privacy Safeguards
- Error responses are generalized for end users and avoid exposing internal stack traces.
- Browser cookie consent preferences are stored locally and not sent to CHKDSK Labs servers.
- APIs use bounded input sizes to reduce abuse and accidental over-collection.
- Structured audit logging captures security-sensitive and compliance-sensitive actions where applicable.
7. Certifications and Assurance Scope
CHKDSK Labs does not currently claim a formal SOC 2 or ISO 27001 certification. Security posture is maintained through implemented controls, internal reviews, and periodic updates to these disclosures.
8. Vulnerability Reporting
Report vulnerabilities to jay@chkdsklabs.io with reproduction details. We prioritize confirmed security issues and respond as quickly as possible.