binary-punks

Proof over promises

Verify

Live-measured receipts — self-hosted and dated.

Why we self-host these reports instead of linking out
Linking you to SSL Labs or securityheaders.com would make your browser open a connection to a third party — the exact thing this page exists to disprove. “Zero external origins, visitors talk to no one but us” has to hold here too, or it’s just talk. So we run each tool against the live site, capture the result, and serve the receipt ourselves — first-party, dated, nothing phoning home. The tools are named on every row; point them at the site yourself and you’ll get the same grade.

We won't show you a score we haven't earned. Each result below was measured on the running site by the named tool and captured here verbatim — no link-outs (visitors talk to no one but us); re-run the tool yourself to confirm. Unmeasured items stay honest targets.

Performance 100 · verified

Measured by Lighthouse · 2026-06-17

  • Scored 100/100 — worst route's median of 7 runs across 4 routes.

Accessibility 100 · verified

Measured by Lighthouse · 2026-06-17

  • Scored 100/100 — worst route's median of 7 runs across 4 routes.

Best Practices 100 · verified

Measured by Lighthouse · 2026-06-17

  • Scored 100/100 — worst route's median of 7 runs across 4 routes.

SEO 100 · verified

Measured by Lighthouse · 2026-06-17

  • Scored 100/100 — worst route's median of 7 runs across 4 routes.

TLS A+ · verified

Measured by SSL Labs · 2026-06-17

  • Grade A+ across 2 endpoint(s) (IPv4 + IPv6)
  • Protocols: TLS 1.3 + TLS 1.2 only (no legacy SSL/TLS)
  • HSTS advertised with includeSubDomains + preload

Security headers A+ · verified

Measured by securityheaders.com · 2026-06-17

  • Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-Ip2tb4GW7g18aQTz0KRp7GmpnnOZO9QsKMTIZ5zGFhQ=' 'sha256-SLt6znORU3y6Vj1po49AIBidI7nipK7MYQUGcQBkILw=' 'sha256-fkw3hXebEQRN7jVSD1Yrusl1ZbXgEZagdK6PUFDamZg=' 'sha256-tYCcUbFfjZ9QESuTWESGWrFg2SmiEdyD2MYUfRWUgK0='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; object-src 'none'
  • Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()

WCAG 2.2 AA AA · verified

Measured by axe-core · 2026-06-17

  • axe-core WCAG 2.2 AA ruleset (wcag2a/2aa, wcag21a/21aa, wcag22aa) + heading-order & landmark structural checks.
  • 0 violations across 7 routes × light/dark × desktop+mobile (28 cells), zero baselined exceptions.
  • Automated coverage against the production build — complements, does not replace, the manual voluntary-AA accessibility statement.

Core Web Vitals to be measured

No number until it's measured live and passing — then it earns its value here. No fake green.

Receipts written by scripts/verify/measure.mjs against the live host.