Security

Security and trust posture

listeNotes now exposes the public metadata and headers a real deployment should have. If IT is blocking the site, the next thing to verify is the certificate chain presented by the host, because app code cannot repair an untrusted TLS issuer.

TLS is a hosting concern

This app now advertises a production-grade trust surface, but certificate trust still has to come from your hosting platform or edge network. Use a publicly trusted CA or a corporate-trusted root if IT interception is involved.

Browser hardening is enabled

The app sends HSTS, CSP, frame, MIME-sniffing, referrer, and permissions headers across the site so browsers and scanners see a hardened baseline instead of a default local-dev profile.

Discovery endpoints are present

Robots, sitemap, manifest, app icons, and social preview images are generated from the app itself so public crawlers and preview bots see a complete deployment surface.

OAuth stays delegated

Authentication continues to flow through Supabase and the upstream providers. That keeps secrets off the client and leaves provider callback validation with the auth platform.

IT Review Surface

These endpoints are public and stable enough to hand to a reviewer or scanner during an approval pass.

robots.txt sitemap.xml manifest.webmanifest security.txt

Canonical policy page: https://listenotes.app/security