Security Analysis
Defense-in-depth security verified against NIST, CISA, and industry standards. A+ CSP rating with zero external dependencies.
Security Scorecard
Real-time security metrics verified against industry standards
Security isn't something you do once and forget. Effective security requires continuous monitoring, assessment, and improvement. Praxis was designed with security as a core principle, not a bolt-on addition.
Defense-in-Depth Architecture
Multiple security layers as recommended by NIST SP 800-53
The defense-in-depth model recommends implementing multiple overlapping security controls so that if one fails, others remain. Here's how Praxis implements this principle:
Defense in Depth
Multiple layers of security controls ensure that if one layer fails, others remain. We don't rely on a single security measure but implement overlapping protections at every level.
Principle of Least Privilege
Our Content Security Policy allows only what's absolutely necessary. No inline scripts, no external resources, no unnecessary permissions. If it's not needed, it's blocked.
Zero Trust Architecture
We assume no external resource is trustworthy. All styles, scripts, and assets are self-hosted with no third-party dependencies.
Continuous Improvement
Every code change is reviewed against security standards. We regularly audit for vulnerabilities and incorporate new security research into our approach.
Content Security Policy Analysis
A+ rated CSP verified against Mozilla Observatory standards
Content Security Policy (CSP) is a browser security mechanism that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. CSP is one of the most effective mitigations against XSS attacks.
CSP Directive Compliance
Our CSP implementation compared to Mozilla Observatory's recommended security level:
default-src 'none' - Block Everything by Default
This is the most restrictive default policy possible. Every resource type must be explicitly allowed. This follows the principle of deny-by-default.
Effect: Prevents any unexpected content from loading, including scripts, styles, images, fonts, and connections unless explicitly permitted.
script-src 'self' - No External JavaScript
Only scripts from our own domain are allowed. No inline scripts, no eval(), no external JavaScript files from CDNs.
XSS Prevention: Strict CSP that blocks inline scripts can prevent the majority of XSS attacks.
style-src 'self' - No Inline Styles
Only stylesheets from our domain are permitted. No inline styles means no CSS injection attacks possible.
Implementation: All 11,000+ lines of CSS are in a single external stylesheet (styles.css). Zero style attributes in HTML.
connect-src 'self' - No External Connections
Network requests only to our own domain. No external API calls, no tracking beacons, no data exfiltration possible.
Privacy Benefit: User data cannot be sent to third parties because the browser blocks all external connections.
form-action 'none' - No Form Submissions
Forms cannot submit data anywhere. This prevents form hijacking attacks where malicious actors redirect form submissions to attacker-controlled servers.
Praxis Note: Since all tools run client-side in JavaScript, no form submissions are needed.
base-uri 'none' - No Base URL Manipulation
The base URL cannot be changed by injected content. This prevents base tag injection attacks that could redirect all relative URLs to attacker-controlled servers.
Cross-Site Scripting (XSS) remains a critical web application security risk. Most websites allow inline scripts and styles for convenience. We chose the harder path: refactoring all code to work with strict CSP. The result is a site that's practically immune to XSS attacks.
Security Compliance
Security posture aligned with NIST Cybersecurity Technique 2.0
Modern cybersecurity frameworks emphasize managing risk across organizations of all sizes. Praxis implements security-by-design principles that eliminate entire categories of vulnerabilities.
Attack Surface Comparison
Supply chain attacks are a top threat vector in modern web security
Typical Web Application
8 Attack Vectors:
Authentication system vulnerabilities, database breaches, server-side code exploits, supply chain attacks via npm/CDN, tracking script injection, third-party library flaws, form submission hijacking, session token theft.
Praxis Architecture
0 Attack Vectors:
No authentication (nothing to break), no database (nothing to breach), client-side only (no server exploits), zero dependencies (no supply chain), no tracking (complete privacy), self-hosted assets, no forms, stateless design.
Privacy by Design
We can't leak what we don't collect
Privacy by Design establishes that privacy should be embedded into technology from the start. Praxis implements all seven foundational principles:
No Analytics
No Google Analytics, no tracking pixels, no session recording. We don't know who you are, where you're from, or what you're doing. And we like it that way.
No Cookies
Praxis sets no cookies. Your browser preferences (like accessibility settings) are stored only in localStorage on your device, never sent to any server.
No External Requests
Zero requests to external servers. No fonts from Google, no scripts from CDNs, no images from third parties. Your browser only talks to our server.
Client-Side Processing
All tools (Prompt Analyzer, Technique Finder, etc.) run entirely in your browser. Your prompts and data never leave your device.
Open your browser's developer tools (F12), go to the Network tab, and reload this page. You'll see only requests to Praxis's own domain. No third parties. No trackers. Complete transparency.
Security Audit Results
Automated security analysis from February 2026
Our continuous security process runs automated scans against NIST security standards and CSP compliance. These are actual results from our most recent comprehensive audit:
Vulnerability Scan Results
innerHTML Usage
Found: 19 - All instances reviewed and verified safe. Used only with template literals containing pre-sanitized content, never with user input.
External Link Security
100% Compliant - All external links (GitHub, LinkedIn) include target="_blank" with rel="noopener noreferrer" to prevent tabnabbing attacks.
CSS Lines
11,000+ - All in single external stylesheet (styles.css). Zero inline styles across all 30+ HTML pages.
JavaScript Lines
8,500+ - All in single external file (app.js) loaded with defer. Zero inline scripts.
Full Transparency
Trust through openness
Praxis is open source. Every line of code is visible on GitHub. You can audit our security yourself, suggest improvements, or fork the project with confidence that you know exactly what you're getting.
Open Source
Complete source code available on GitHub. No hidden code, no obfuscation, no secrets. What you see is exactly what runs.
Documented Decisions
Security choices are documented and explained. We don't just implement security; we explain why each measure exists.
Version History
Complete git history shows every change ever made. Full accountability and traceability for all modifications.
Community Review
Open to security researchers and community feedback. If you find something, we want to know about it.
Sources
- Website Security Best Practices - CISA
- Cybersecurity Technique 2.0 - NIST
- NIST Cybersecurity Technique 2.0 (PDF) - NIST Publications
Security Resources
NIST Cybersecurity
Official U.S. government cybersecurity standards and guidelines.
nist.gov/cybersecurity →CISA Security
U.S. Cybersecurity and Infrastructure Security Agency resources.
cisa.gov/cybersecurity →View the Source
Security through obscurity is no security at all. Review our code, verify our claims, and see how it's done.