Seeded showcase

88/100 posture

Template narrative

Security review

northstar-finance.demo

https://northstar-finance.demo

Northstar Finance presents a mature external security baseline with HTTPS, redirect enforcement, and most critical hardening controls in place. The largest gap is the absence of a content security policy, which leaves browser-side protections weaker than the rest of the stack.

HTTPS

Reachable

Pass

Redirect

HTTP -> HTTPS

Pass

Headers

4/5 visible

Pass

TLS

232 days remaining

Pass

Healthy posture

Issue mix

Critical / high

Medium

Low / info

Report state

Completed

Mar 27, 2026, 3:31 PM

Audience

Exec summary plus technical detail in one artifact

Recommended briefing order

Report context

Narrative and ownership layers

Designed for executive walkthroughs and technical follow-up in the same screen.

Scanned target

northstar-finance.demo

Workspace

Public showcase scan

Access model

Public seeded report

Narrative engine

Fallback templates generated the report because AI was unavailable or not configured.

Distribution

Report actions

Open a print-ready layout, export a deliverable PDF, or generate a read-only share link.

Delivery stack

Built for handoff, not just inspection

This report can move from live product view to boardroom PDF or read-only share link without changing context.

Print view Export PDF

Export tracking

Recorded PDF downloads for this report.

Findings

Top issues to brief first

Prioritized observations from the passive website security review.

Browser hardening#1

Content Security Policy is missing

The site does not publish a Content-Security-Policy header, so browsers have fewer constraints on where scripts, frames, and other resources can load from.

MEDIUM

Observed: No Content-Security-Policy header was visible in the HTTPS response.

Remediation: Add a baseline Content-Security-Policy and tighten it over time, starting with default-src 'self' and explicit script/frame allowlists.

Plain-English

Explanations for non-security audiences

Helpful for founders, PMs, recruiters, and judges.

HTTPS

HTTPS encrypts the connection between a visitor and your site so traffic cannot be read or altered in transit as easily.

Content Security Policy

A content security policy tells the browser which scripts, frames, and external resources are allowed to run on the page.

Signal breakdown

Raw checkpoints from the passive review

Transport, headers, cookies, and email-auth posture at a glance.

Transport

HTTPS status: 200

HTTP status: 301

TLS expiry: Nov 14, 2026, 12:00 PM

Days remaining: 232 days remaining

Browser controls

content-security-policy: Missing

strict-transport-security: Present

northstar-finance.demo

Narrative and ownership layers

Report actions

Top issues to brief first

Content Security Policy is missing

Explanations for non-security audiences

Raw checkpoints from the passive review

Cookie posture is strong

What an engineer should take away

Fix order that makes sense