Browser policy
The Cloudflare Pages header set includes Content Security Policy, HSTS, frame blocking, nosniff, strict-origin referrer policy, and a permissions policy that disables powerful browser APIs.
Public security boundary
Security.
This page states the security controls that apply to the static Mullusi public website. Runtime gateway, dashboard, sandbox, and metrics security remain AwaitingEvidence until those surfaces publish signed witnesses.
Script boundary
Executable scripts are self-hosted and external. The only inline script currently allowed is the hash-pinned Organization/WebSite JSON-LD block on the homepage.
Route boundary
Reserved subdomains are not linked as live endpoints. Visitors are routed to published static pages, status, contact, or proof boundary pages.
Data boundary
Public JSON files are static, content-hashed, and validated before deployment. Runtime proof stamps are not claimed until witness endpoints close.
Surface security state
| Surface | State | Security boundary |
|---|---|---|
mullusi.com | Published | Static public website with governed headers and no live account session. |
docs.mullusi.com | Published externally | Docs are linked as a public knowledge surface; this repository does not own its response headers. |
api.mullusi.com | AwaitingEvidence | Runtime security requires health, gateway witness, and conformance evidence before public claim closure. |
dashboard.mullusi.com | Reserved | Authenticated operator surface; not linked as live from this public site. |