BellPathOS v1.6

Security Center

Security hardening and SOC 2 readiness controls for the public BellPathOS client site.

SOC 2 readinessLocal-first privacyClient-owned secretsCloudflare hardened

Security posture

Built for controlled beta, not certified SOC 2 yet

This build adds SOC 2 readiness controls, public-package cleanup, hardened headers, data classification, client-owned Plaid/AI key boundaries, and audit evidence templates. Formal SOC 2 still requires an independent CPA audit and operating evidence over time.

Run Security Check

Verify browser, HTTPS, service worker, storage, setup, AI vault, and connector risk signals.

Open →

SOC 2 Readiness

Map current controls to security, availability, confidentiality, privacy, and processing integrity.

Open →

Launch blockers

Before public scale

Remove owner/admin files from public package. Done in v1.6. Deploy Plaid Worker with origin allowlist and Worker secrets. Add Turnstile site key and server-side verification for forms. Keep AI/Plaid keys client-owned or move to a server proxy before storing secrets. Start evidence collection for SOC 2 audit readiness.

Security modules

Controls added in v1.6

Data Classification

Labels public, local-only, sensitive, confidential, restricted, AI-shared, and Plaid-connected data.

Open →

Vulnerability Disclosure

Public instructions for reporting security issues safely.

Open →

Incident Response

Client-safe incident response process and escalation checklist.

Open →

Turnstile Setup

Bot protection setup for support/contact/setup forms.

Open →

Headers

Browser hardening now included

The Cloudflare Pages _headers file now includes HSTS, frame denial, nosniff, stricter referrer policy, restrictive permissions policy, cross-origin isolation helpers, and an operational Content Security Policy plus strict report-only CSP for future inline-code cleanup.