Security

Version 1.0.4
Last Updated: March 16, 2026

Data Protection

Security is built into the core of AxeTip. We use industry-standard encryption (AES-256) for data at rest and TLS for data in transit.

Security Headers

We maintain a high standard for security headers, balancing maximum protection with the necessary functionality for a modern financial platform:

HSTS (Strict-Transport-Security): Preloaded and set to the maximum duration (2 years) to ensure all traffic is encrypted.
Content-Security-Policy (CSP): We implement a robust CSP configured to support essential site functionality, including Google AdSense and search services.
Sentinel Cookie Security: Every deployment includes a secure sentinel cookie with SameSite=Strict, HttpOnly, and Secure flags, ensuring browsers enforce the highest level of cross-origin protection.
X-Frame-Options: Explicitly blocked using both X-Frame-Options and CSP frame-ancestors to eliminate clickjacking risks.

Business Analytics & Advertising

To support the free tools and resources we provide, AxeTip uses industry-standard measurement and advertising partners:

Standard GA4 Tracking: We use Google Analytics 4 to understand site performance. This includes standard cookies and signals to ensure accurate data for our financial comparisons.
AdSense Integration: We use Google AdSense to serve relevant advertisements. This requires certain scripts to execute with standard web permissions.
Dynamic Loading: Scripts are delayed until the page is fully interactive to prioritize user experience and site speed.

Infrastructure & CDN

Our platform leverages Cloudflare’s global edge network, providing:

DDoS Protection: Mitigating large-scale layer 3 and layer 7 attacks.
Bot Management: Protecting against automated scraping and malicious bots.
DNSSEC: Ensuring the integrity of our DNS records to prevent spoofing.

Compliance & Process

AxeTip follows rigorous change control procedures to ensure the integrity of our software:

Immutable Infrastructure: Every change is tracked via hashed Git commits and a cryptographically signed build history.
Static Delivery: By eliminating dynamic backends and REPLs, we eliminate the majority of common injection vulnerabilities like SQLi or SSRF.

Independent Verification

The following reports are generated by independent third parties and are publicly verifiable at any time:

SSL/TLS Encryption (SSL Labs)
Qualys SSL Labs rated AxeTip A+ — the highest possible grade — across all globally distributed edge servers, covering certificate validity, cipher strength, and protocol security.
View AxeTip SSL Report →

Safe Browsing Status (Google)
AxeTip is verified safe by Google’s Safe Browsing database — the same technology used by Chrome, Firefox, and Safari to protect billions of users from malware and phishing.
View AxeTip Safe Browsing Report →

Security Header Integrity (Mozilla Observatory)
AxeTip maintains a B+ score on the Mozilla Observatory. This score reflects our implementation of a Content Security Policy that facilitates standard advertising and analytics services while maintaining high security standards.
View AxeTip Security Report →

Responsible Disclosure

We welcome reports from the security community. If you believe you’ve found a vulnerability, please contact us at [email protected]. We appreciate your help in keeping AxeTip secure.

Data Protection#

Security Headers#

Business Analytics & Advertising#

Infrastructure & CDN#

Compliance & Process#

Independent Verification#

Responsible Disclosure#