Security
Last updated: July 15, 2026
We build systems for other people's businesses, so it would be strange to run a careless website. This page describes how taqi.io is actually built and how to reach us about a security problem.
Reporting a vulnerability
Found something? Email security@taqi.io with enough detail to reproduce it. We aim to acknowledge reports within 3 business days. Please give us a reasonable opportunity to fix the issue before disclosing it publicly.
We do not currently run a paid bug bounty, so we cannot offer a reward. We will not pursue legal action against researchers who report issues in good faith, act in a way that respects the privacy of others, avoid degrading our services, and do not access or modify data that is not their own. Please do not run automated scanning that generates significant traffic, and do not attempt social engineering, physical attacks, or denial of service.
A machine-readable version of this contact information is published at /.well-known/security.txt.
How this site is built
This is a static website. There is no application server, no database, and no user accounts. That eliminates entire categories of risk rather than mitigating them, which is the point.
- No JavaScript. The site ships zero client-side script, from us or from anyone else.
- No third-party requests. Fonts and images are served from our own domain. Loading a page here does not cause your browser to contact any outside company. There are no CDNs, tag managers, analytics products, chat widgets, or advertising pixels.
- No cookies for tracking. We do not use cookies for analytics, advertising, or profiling.
- HTTPS only. All traffic is served over TLS. HTTP requests are redirected, and we send HTTP Strict Transport Security so browsers refuse to downgrade.
- Content Security Policy. A strict CSP restricts every resource type to our own origin, disallows inline and third-party script, and forbids framing the site.
- Hardened response headers. Including
X-Content-Type-Options,Referrer-Policy,Permissions-Policy, and cross-origin isolation headers. - No build dependencies. The site is hand-written HTML and CSS with no package manager and no third-party build chain, so it has no supply-chain surface to compromise.
Data we hold from this site
The only personal data this site collects is what you type into the contact form, which our host processes and forwards to our email. We ask for the minimum needed to reply to you, and nothing about you is sold or shared for advertising. Details are in our Privacy Policy.
Infrastructure
The site is hosted by Netlify, and our email runs on Google Workspace. Both are responsible for the security of their own platforms under their respective agreements with us. Access to our hosting and domain accounts is limited to people who need it and protected by multi-factor authentication.
What this page is not
We want to be straight with you: this page describes the security of this website. It is not a certification, an audit report, or a compliance attestation, and we do not claim to hold one. If you are evaluating Taqi for an engagement and need to discuss how we would handle security within your environment — including your own compliance requirements — that is a conversation we are glad to have. Start it at hello@taqi.io.