ATLAS Research Desk · Security & Trust

Modern browser security. Publicly re-testable grades, not self-declared.

Atlas uses modern TLS, HSTS, CSP and browser security controls. Its public TLS and header grades can be independently re-tested, payment-card collection is hosted by Stripe, and the implementation was reviewed with Claude Fable 5 as an AI-assisted engineering review. The Qualys and Mozilla grades are public tests; the AI review is not an independent certification.

A+

Qualys SSL Labs · TLS grade

Fresh independent scan completed 11 June 2026. Re-run the public test →

FABLE 5

Reviewed with Claude Fable 5

AI-assisted hardening review: live header inspection, TLS verification, payment-flow checks from checkout to webhook, and CSP hash-locking verified against live response bytes. 11 June 2026.

A+

Mozilla HTTP Observatory · headers

All 10 hardening tests passed — score 120 of 100, with bonus points for hash-locked script security. Verified 11 June 2026. Re-run the public test →

What is verified on the wire

✓TLS 1.2/1.3 with HSTS — encrypted connections enforced for two years across every FreedomCore subdomain; submitted to the browsers' built-in preload list (11 June 2026, registration in progress).
✓Hash-locked scripts — no blanket inline-script allowance anywhere: every permitted script is either a same-origin file or cryptographically pinned by its SHA-256 fingerprint. Change a single character and the browser refuses to run it.
✓Full Content-Security-Policy — scripts, styles, frames and connections restricted to an explicit allowlist; frame-ancestors 'none' means no site can embed Atlas to spoof it.
✓Clickjacking and MIME protection — X-Frame-Options DENY, X-Content-Type-Options nosniff.
✓Cross-origin isolation — COOP and CORP set to same-origin; strict Referrer-Policy.
✓Hardware locked out — Permissions-Policy disables camera, microphone, geolocation, USB and sensors for the whole site. Atlas never asks, and never can.

Payment security

✓Checkout is handled entirely by Stripe, certified PCI DSS Level 1 — the highest standard of card security that exists.
✓Your card details never touch FreedomCore servers. We receive a signed confirmation that payment happened, never the card.
✓Webhook signatures verified — subscription events are cryptographically checked before any account change.
✓Self-service control — cancel any time in the Stripe billing portal; 14-day no-questions refund on the first payment.

What Atlas never does

✓No brokerage connection, no trade execution, no access to your funds — Atlas is research only.
✓No card storage and no plaintext passwords. Atlas stores one-way password hashes and account-security records where required; billing card collection remains hosted by Stripe.
✓No third-party ad trackers on research pages.

Don't take our word for it

→Qualys SSL Labs — the industry-standard TLS test.
→Mozilla HTTP Observatory — header and policy hardening.
→SecurityHeaders.com — independent header scan by Probely.
→hstspreload.org — Chrome's own preload registry.

Review statement. The security posture of atlas.freedomcore.io was reviewed with Claude Fable 5 (model id claude-fable-5) as an AI-assisted engineering review: live header inspection across the site, TLS verification, payment-flow checks from checkout to webhook, and confirmation of the A+ TLS grade with Qualys SSL Labs and the header score with Mozilla's HTTP Observatory on the date below. Qualys and Mozilla results are independently reproducible through the links above; the AI-assisted review is not an independent certification.

Reviewed 2026-06-11 · Claude Fable 5-assisted · grades re-verifiable by anyone, any time