PentStark
Trust · Security

Public controls. Explicit boundary.

This page describes the configuration shipped with pentstark.com, our static marketing surface. It does not turn contract-specific application or operational controls into unsupported public claims.

Published configurationScope · pentstark.comStatic surface
Evidence boundary

Know what the claim covers.

The statements below are derived from the deployment configuration published with this website. Hosting behavior should be validated again whenever infrastructure changes.

Covered here

Public host redirects, HTTP response-header policy, static delivery behavior, and vulnerability-reporting routes.

Procurement scope

Customer systems, engagement-data controls, operating procedures, and contract-specific evidence.

Published web controls

Inspectable by design.

These are configuration statements, not a substitute for an independent scan of the live host.

  1. 01

    Transport & canonical origin

    The Apache configuration sends visitors to HTTPS and keeps one canonical public hostname.

    • HTTP requests redirect to HTTPS.
    • www requests redirect to the apex hostname.
    • HSTS is configured with a two-year max-age, includeSubDomains, and preload directives.
    Published deployment configuration
  2. 02

    Browser security boundary

    Response headers restrict framing, object embedding, referrer detail, and access to sensitive browser capabilities.

    • Content-Security-Policy defaults resources to the same origin and blocks objects and cross-origin framing.
    • The current static-site policy includes explicit service allowlists and permits inline scripts and styles; it does not claim nonce-based enforcement.
    • X-Content-Type-Options is set to nosniff and X-Frame-Options to DENY.
    • Referrer-Policy is strict-origin-when-cross-origin; camera, microphone, and geolocation are disabled by Permissions-Policy.
    • Cross-Origin-Opener-Policy is set to same-origin.
    Published response-header policy
  3. 03

    Static delivery surface

    The public marketing site is a static Next.js export delivered through Hostinger's Apache-compatible hosting layer.

    • The marketing surface is deployed as static files rather than a Next.js application server.
    • HTML is configured to revalidate so published changes are not held behind a long browser cache.
    • Compression is enabled for common text assets; versioned CSS, JavaScript, fonts, and images receive cache rules.
    • The server signature and X-Powered-By response headers are removed by the published configuration.
    Static export + Hostinger deployment
  4. 04

    Disclosure route

    A public disclosure policy and direct security contact keep vulnerability reporting discoverable.

    • The responsible-disclosure policy defines in-scope properties, out-of-scope testing, safe harbor, and response windows.
    • Security reports are routed to security@pentstark.com.
    • The site footer and Trust Center both provide a direct path to the disclosure policy.
    Published disclosure policy
Contract-specific assurance

Public copy is not evidence for every system.

Application and operational topics belong in a scoped review. Request the relevant material under NDA instead of relying on a generic marketing statement.

Request security evidence
  • 01Customer-portal access controls
  • 02Engagement-data handling and retention
  • 03Application architecture and isolation
  • 04SDLC, monitoring, and operational controls

Security contacts

Report a vulnerability directly or review the disclosure policy before testing.