Security Policy
—Trust by Design, Transparency by Default
Published: January 2026
Maintained by: ITS Group Engineering
Last updated: January 2026
Overview
At ITS Group, security isn’t a checkbox — it’s a declaration of care. Every pixel, packet, and process is designed to protect the humans who trust us with their data. This policy outlines the principles, technologies, and operational discipline that define how we build digital systems that are both resilient and respectful.
Core Principles
-
🛡️ Zero Trust as Default — Every component must prove itself before it participates.
-
🔏 Integrity over Convenience — Secure coding and deployment pipelines are never compromised for speed.
-
📖 Transparency as Security — We publish our headers, policies, and methods openly.
Technical Enforcement
Our security architecture is built on industry-leading standards and practices, including:
-
Content Security Policy (CSP) v3 with Nonces — Dynamically generated nonces for scripts and styles ensure only trusted code executes.
-
Trusted Types — Prevents DOM-based XSS by restricting the types of values that can be assigned to sensitive sinks.
| Header | Value |
|---|---|
| Date | Thu, 29 Jan 2026 21:55:55 GMT |
| Vary | Accept-Encoding |
| Cf-Ray | 9c5bf9fddeeededd-SEA |
| Server | cloudflare |
| Alt-Svc | h3=":443"; ma=86400 |
| Expires | Thu, 29 Jan 2026 22:00:55 GMT |
| Product | ITS Themer |
| Csp-Nonce | random-session-base64 |
| Connection | close |
| Powered-By | ITS Group - Digital presence for the age of AI. https://itsgroup.co.nz |
| Set-Cookie | __Host-ITS-SECURITY-CHECK=security-check; path=/; secure; HttpOnly; SameSite=Strict |
| Content-Type | text/html; charset=UTF-8 |
| Cache-Control | private, max-age=60, stale-while-revalidate=7200 |
| Cf-Cache-Status | BYPASS |
| Referrer-Policy | strict-origin |
| X-Frame-Options | SAMEORIGIN |
| Integrity-Policy | blocked-destinations=(script) |
| X-Xss-Protection | 1; mode=block |
| Transfer-Encoding | chunked |
| Permissions-Policy | geolocation=(), microphone=(), camera=(), local-fonts=(), payment=() |
| X-Content-Type-Options | nosniff |
| Content-Security-Policy | default-src 'none' ; script-src 'self' 'nonce-random-session-base64' 'strict-dynamic' ; style-src 'self' 'nonce-random-session-base64' 'sha256-dynamic-base64' 'sha256-dynamic-base64' ; font-src 'none' ; img-src 'self' ; connect-src 'self' https://*.google-analytics.com ; media-src 'self' ; object-src 'none' ; base-uri 'none' ; manifest-src 'self' ; worker-src 'self' ; frame-src 'none' ; child-src 'none' ; frame-ancestors 'self' https://itsgroup.co.nz/ https://longbushcottage.co.nz/ https://deadrabbitsrun.nz/ https://hub.longbushcottage.co.nz/ https://glasshousesnz.nz/ https://hub.longbushcottage.home/; form-action 'self' ; require-trusted-types-for 'script' ; trusted-types its-gtm-policy goog#html its-sw-policy its-nuke-policy google-analytics its-html-policy its-scripturl-policy its-aaacolor ; upgrade-insecure-requests ; |
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload |
| Cross-Origin-Opener-Policy | same-origin |
| Cross-Origin-Embedder-Policy | require-corp |
| Cross-Origin-Resource-Policy | same-origin |
🧩 Verification & Results
Our live security configuration is independently verified through Mozilla Observatory — achieving a Score of 145/100 (A+), placing ITS Group among the top tier of globally hardened web environments.
| Metric | Result |
|---|---|
| Final Grade | A+ |
| Score | 145 / 100 |
| Tested URL | https://itsgroup.co.nz |
| Verification Date | January 2026 |
| Verified By | Mozilla Observatory — MDN Web Docs |
| Verification URL | https://developer.mozilla.org/en-US/observatory/analyze?host=itsgroup.co.nz |
This audit confirms full enforcement of CSP v3 nonces, Trusted-Types, COOP/COEP/CORP isolation, and a HSTS max-age of two years with preload.