Security Posture (Quick)

A short, review-friendly posture statement for merchants, platforms, and auditors. For deep details, see Security and the docs links below.

CSP stance (no remote scripts)

Strict Content Security Policy blocks remote scripts, fonts, and styles.
Self-hosted assets only; no third-party tags/pixels.
Widgets are iframe-only (no injected scripts into host pages).

No tracking

No analytics cookies, no fingerprinting, no session replay.
No per-user identifiers. Aggregated counters only (for abuse sizing).
Referrer minimized on key pages (no-referrer).

Anti-abuse posture

Rate limits + concurrency controls to prevent cost explosions.
Circuit-breaker modes under pressure (defensive behavior).
Verify remains free (uniform read limits; no paywalls on verification).

Domain separation

verify.getevidex.net: read-only verification surfaces (no issuance endpoints, no login).
getevidex.net: issuance and product site.

Separation reduces blast radius and simplifies review: the verify domain can be cached and hardened as read-only.

Documentation

Security headers Rate limiting Policy lockfile Trust Center

Reality Audit

—

Offline Verify Court Mode