About ET · Security Posture

Security review,
current posture and next fixes

An internal, rebuild-driven security posture page for the current site. This is a static-source review of the repo and generated page patterns, not a penetration test or infrastructure assessment. It is designed to update automatically as code and content improve.

Open Site Operations → Open Accessibility Review →
129
Public Pages Missing CSP
Current generated public pages without visible CSP coverage
374
Blank Links Missing rel
31 pages with target=_blank but no rel
23
Inline Script Blocks
23 pages with inline script tags
0
Inline Event Handlers
0 pages with inline on* handlers
136
Pages reviewed
129
Public shell pages
34
Structured newsroom posts
13
Structured event pages
Scope

What this review does and does not cover

This page reviews source fragments, shared templates, head content, and generated page patterns that affect the security posture of the public-facing site build. It focuses on issues that can be observed and tracked directly in the repo.

It does not test infrastructure, authentication systems, hosting configuration, WAF rules, DNS, TLS setup, or server-side controls. The build currently contains 136 generated pages in scope for this source-level review.

Findings

Current security issues visible in the repo

High

No content security policy is evident in generated public pages

129 public pages currently build without any visible Content-Security-Policy declaration in page head content.

Without a CSP strategy, the site has weaker protection against script injection, third-party asset abuse, and accidental expansion of executable content.

Examples
  • about/index.html
  • ai/policy/index.html
  • ai/index.html
  • ai/gemini/index.html
  • ai/openai/index.html
  • ai/claude/index.html
High

Some external links still open new tabs without rel protection

374 target="_blank" links were found across 31 source pages without rel protection.

Missing rel attributes weaken link isolation and can create opener-related security and privacy issues when external destinations are opened.

Examples
  • ai/policy/index.html
  • ai/gemini/index.html
  • ai/openai/index.html
  • ai/claude/index.html
  • services/box/index.html
  • services/canva/index.html
Medium

Inline behavior is still used in page source

23 inline script block and 0 inline event handler patterns were found across 6 source pages.

Inline JavaScript increases XSS exposure and makes it harder to lock down the site with a stricter Content-Security-Policy later.

Examples
  • about/index.html
  • ai/policy/index.html
  • ai/index.html
  • services/box/index.html
  • services/canva/index.html
  • services/canvas/index.html
Low

Mixed-content and executable URL checks are currently clean

0 insecure HTTP links and 0 javascript: URLs were found in source fragments.

These are simple but important hygiene checks. Keeping them at zero prevents obvious browser security and trust problems from creeping into the site.

Clean Checks

Signals that are currently in a better state

No insecure HTTP links detected in source fragments

0

The current source fragments do not contain plain HTTP href or src targets.

No javascript: URLs detected

0

The current source fragments do not expose javascript: href or src patterns.

Next Pass

Recommended remediation order

01

Establish a CSP strategy

Move toward a Content-Security-Policy delivered through hosting or a shared template strategy, then use this page to watch the uncovered page count shrink.

02

Remove unsafe new-tab patterns

Normalize all external links that open new tabs so they consistently include safe rel attributes and remain easy to audit.

03

Reduce inline JavaScript

Convert inline scripts and on* handlers to shared scripts and more explicit behavior hooks so future CSP hardening is realistic.

04

Add a deeper manual review

After source cleanup, run a browser and hosting review for headers, cookie behavior, third-party requests, caching, and external dependency exposure.