This Security Policy describes HSJ Information’s approach to maintaining the confidentiality, integrity, and availability of our systems, data, and services. It also describes how security issues can be responsibly disclosed, and how we manage risk and respond to incidents.
2. Scope
This policy applies to all web properties operated by HSJ Information, including but not limited to:
(production)
dev / staging / multidev environments
APIs, internal tools, and third-party integrations used on these sites
It covers all data flows, assets, and third-party services that interact with our platform.
3. Responsibilities
HSJ Information Technology / DevOps: maintain server infrastructure, security patches, TLS configuration, and firewall rules.
Third-party service providers: must meet or exceed our security expectations (TLS encryption, CORS policy, data protection).
4. Secure Configuration & Hardening
All web connections enforce HTTPS only with strong TLS settings (TLS 1.3 preferred).
We use a Content Security Policy (CSP) to limit allowed origins for scripts, styles, images, media, frames, etc. We allow only specific trusted domains to ensure site functionality (e.g. YouTube, Wistia, Marketo, Hotjar).
We remove or suppress identifying HTTP headers (e.g. X-Generator, X-Drupal-Cache, X-Frame-Options) to minimize fingerprinting.
We use Referrer-Policy, X-Content-Type-Options, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, and X-Permitted-Cross-Domain-Policies to enhance browser-level protection.
We monitor and patch dependencies and CMS modules regularly.
5. Content Security Policy (CSP) Approach
We currently maintain a CSP that balances security and required third-party integrations. In the short term we allow 'unsafe-inline' for legacy inline scripts and vendor snippets; in the long term, we plan to transition to CSP nonces or hashes, removing 'unsafe-inline'.
We review CSP violations and logs regularly. We use report-only mode for Cross-Origin-Embedder-Policy to test isolation without breaking functionality.
6. Vulnerability Reporting & Disclosure
We encourage responsible disclosure of security issues. You can report vulnerabilities via security@hsjinformation.co.uk (the same email in our security.txt). When reporting, please include:
Affected URL(s)
Steps to reproduce the issue
Any relevant screenshots, logs, or request/response headers
Contact information for follow-up
We commit to acknowledging reports within 72 hours and providing updates on remediation work. Critical issues will be prioritized immediately.
7. Incident Response & Logging
Security incidents (e.g. data breach, system compromise) follow our internal incident response procedure.
We retain detailed logs (request logs, application errors) in secure, access-controlled storage for at least 90 days.
In the event of a breach, we will assess impact, isolate, remediate, notify affected parties, and disclose where legally required.
8. Testing & Audits
We perform periodic security assessments, including internal review, static analysis, dynamic scans, and penetration tests.
We act on findings promptly and re-test after remediation.
This site is periodically rescanned by external tools; we maintain a backlog of lower-risk items and track them until closed.
9. Third-Party Integrations
Any third-party service integrated (Analytics, video, forms, ads, tracking) must use:
TLS
Minimal required permissions (least privilege)
CORS / CORP / CSP compatibility
Periodic review for security updates
If a third-party cannot meet our security standards, we isolate or replace it.
10. Changes & Updates to This Policy
We may update this Security Policy periodically (e.g., when architecture changes, after audits). The version date is shown below. Users (e.g. auditors, customers) should refer to this page for the current policy.