Verification Metadata
- Route:
/transparency/network-capabilities/ - Last verified:
- Verification targets:
paycal.app,www.paycal.app,dev.paycal.app - Capture method: HTTP response-header inspection and protocol negotiation probes.
- Observed entry behavior: HTTPS entrypoints redirect to auth routes with security headers applied on redirect responses.
Executive Summary
- All public entrypoints are HTTPS and redirect to canonical auth routes.
- HTTP/3 is advertised via
Alt-Svcand negotiated automatically by compatible clients. - HSTS preload policy is enabled to enforce HTTPS at browser level.
- Cross-origin isolation controls (COOP, COEP, CORP) are active.
- Browser-hardening headers include CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
Protocol and Routing Behavior
- Primary protocol baseline: HTTP/2 observed on initial requests.
- HTTP/3 advertisement:
alt-svc: h3=":443"; ma=86400. - Fallback behavior: clients that cannot use QUIC continue on HTTP/2 or HTTP/1.1 without route-level behavior change.
- Canonical redirect behavior: root and non-auth entrypoints redirect to auth paths (for example,
https://paycal.app/tohttps://www.paycal.app/auth/).
Transport Security Controls
| Control | Observed Value | Purpose |
|---|---|---|
| HSTS | strict-transport-security: max-age=31536000; includeSubDomains; preload |
Forces HTTPS and supports preload inclusion to reduce downgrade risk. |
| HTTP/3 Advertisement | alt-svc: h3=":443"; ma=86400 |
Enables client upgrade to QUIC/HTTP/3 while preserving backward compatibility. |
| Server Signature | server: nginx |
Documents observed edge server family at verification time. |
Browser Security Header Baseline
| Header | Observed Value | Security Effect |
|---|---|---|
| CSP | content-security-policy: default-src 'self' https: data: blob:; object-src 'none'; frame-ancestors 'none'; base-uri 'self' |
Restricts script/resource origins, blocks plugin objects, blocks framing, and constrains base URI manipulation. |
| COOP | cross-origin-opener-policy: same-origin |
Places pages in an isolated browsing context group to reduce cross-window attack surface. |
| COEP | cross-origin-embedder-policy: require-corp |
Requires embeddable resources to be explicitly allowed, supporting stronger isolation boundaries. |
| CORP | cross-origin-resource-policy: same-site |
Restricts resource loading across site boundaries. |
| X-Content-Type-Options | x-content-type-options: nosniff |
Prevents MIME-type sniffing for safer resource interpretation. |
| X-Frame-Options | x-frame-options: DENY |
Blocks framing to reduce clickjacking risk. |
| Referrer-Policy | referrer-policy: strict-origin-when-cross-origin |
Limits referrer data sent on cross-origin navigations. |
| Permissions-Policy | permissions-policy: accelerometer=(), camera=(), microphone=(), geolocation=(), usb=(), unload=() |
Disables high-risk browser capabilities by default unless explicitly granted later. |
QUIC and Multi-Request Workloads
PayCal uses increasingly API-oriented page flows (for example, lazy-loaded earnings sections). In this request pattern, reduced connection and transport overhead improves aggregate responsiveness.
Use Case: Diagnosing Transport and Header Regressions
Before promoting a release, operations can run a simple header probe on production and dev domains and compare HSTS, CSP, COOP/COEP/CORP, and Alt-Svc values against this published baseline to catch misconfigured edge policy early.
- QUIC support is active through HTTP/3 advertisement over port 443.
- Browsers upgrade automatically when QUIC is available and healthy.
- If QUIC is unavailable on a client or network path, requests proceed on HTTP/2 fallback without feature loss.
Scope and Interpretation Notes
- This article documents verified edge-network behavior and response headers observed at publication time.
- Header sets can vary by route class (redirect, auth, app, API, and error responses).
- Values above reflect baseline controls seen on production and dev public entrypoints.