Security

Last updated: May 27, 2026

Transport Security

All traffic to this website is served exclusively over HTTPS with HSTS enabled (max-age=31536000; includeSubDomains; preload). HTTP requests are 301-redirected to HTTPS.

Application Security

• Content Security Policy (strict-dynamic with per-request nonces) limits script and style sources, blocks inline event handlers, and disables risky directives such as object-src.
• CSRF protection on all state-changing endpoints using session-bound tokens compared in constant time.
• Input validation on every form field, with server-side type and length checks; uploads are MIME-checked against magic bytes and stripped of EXIF metadata.
• Rate limiting on login, public form submission and search endpoints to mitigate brute-force and abuse.
• Session security: HttpOnly + SameSite=Lax cookies, rolling expiration, signed with a 64+ byte secret rotated through a documented procedure.
• Privileged-account MFA: TOTP for the admin console, with secrets encrypted at rest using AES-256-GCM.

Operations Security

• Database backups run daily and are integrity-checked through periodic disaster-recovery drills.
• Server-side audit logs record administrator actions and security-relevant events; logs are archived monthly and retained per our policy.
• Operations endpoints (/healthz, /readyz, /metrics, /csp-report) are restricted to internal networks and an explicit allowlist.

Reporting a Vulnerability

If you believe you have found a security vulnerability, please contact support@trendsemi.com with reproduction steps. We commit to acknowledging your report within 3 business days and to keeping you informed of remediation progress. We will not pursue legal action against good-faith research that complies with the boundaries set out in our Terms of Service.